Gmail phishing scam is even fooling tech-savvy users

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

MOUNTAIN VIEW, Calif. — A new phishing scam on Gmail is fooling even some of the most tech-savvy users.

According to security expert Mark Maunder, the CEO of WordPress security plugin Wordfence, the hacker will send an email that includes an attachment. When you click on it, you’re directed to what looks like a Gmail login page, according to Fox 59.

However, it’s a fake. If you enter your email and password, you’re giving your login credentials to hackers, who then have complete access to your emails.

Sounds easy enough to avoid, right? Not exactly. The email looks like it comes from one of your contacts.

It might even have a subject line that looks authentic. The hackers, who have likely compromised your contact’s account, will even rename the attachment to something that appears plausible.

Once your account is compromised, scammers will use contacts to send more emails in attempts to obtain new login credentials.

Even the URL redirecting to login to a Google account looks authentic:

Fake login page: data:text/html,https://accounts.google.com/ServiceLogin?

Gmail login page: https://accounts.google.com/ServiceLogin?

The fake login box looks like the one you’d really use.

To combat this tactic, security experts say Gmail users should enable two-factor authentication, which gives an extra layer of security. Unless the scammers have access to your phone, they won’t have the access code to get into your account.

Experts say you should also look for the “lock” icon next to the address bar denoting a secure website. While it’s not a foolproof method because scammers sometimes host their pages on secure servers, it’s a common sense step to take.

If you think you’ve already fallen for the scam, you should change your Gmail password immediately.

“We’re aware of this issue and continue to strengthen our defenses against it,” Google said in a statement. “We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”

AlertMe
Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.