We all know not to open attachments from email addresses we don’t recognize, but what if it’s from someone we know? Thanks to the latest Gmail phishing scam, you can’t even trust a familiar face.
WordPress security tool Wordfence is reporting a wide-scale attack on Gmail users:
The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.
You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….
You go ahead and sign in on a fully functional sign-in page that looks like this:
Once you complete sign-in, your account has been compromised.
It’s that quick. From there, the attackers will use your account to send similar emails out to your contacts. And once they have access to your email account they can start infiltrating other personal data by resetting passwords or using your Gmail logins to access other sites.
How to Protect Yourself
This attack has blindsided even web security experts because of its sophistication. It’s tricker than your average phishing scam, but there are a few ways to protect yourself against it and similar attacks in the future.
Before signing in, always look for the green SSL lock in the url bar. All Google products are served up over SSL. If it’s ever missing, don’t trust the site.
You should also enable 2-step verification. Google will text you a code to your cellphone any time someone tries to log into your account using a new computer or device. It can go a long way in terms of stopping remote hackers from making it into your account.
While this tactic doesn’t exploit weak passwords, it’s always a good idea to revisit your passwords and make sure they’re secure.
* * *
Our hosting programs keep you on top of all potential security threats, so your website is never taken down.