No matter how we use our computers — all work, all play, or somewhere in between — it’s always a good idea to be vigilant about viruses, hacking and phishing. So much personal information is stored on these devices that a threat our to cyber security equals a threat to our privacy.
Just recently, a new phishing scam has been identified. This one targets Gmail. According to internet security specialists, the scam is so sophisticated that even tech-savvy users are being fooled by it.
Here’s how it works. As soon as a victim submits a password to log in to Gmail, the phishing team or phishing code (it’s unclear whether a group of hackers or a sophisticated automation code is behind the push) log in to the victim’s Gmail account. From there, information from the victim’s contact list is gleaned, including contacts’ emails, recent email subject lines and attachments. This information is being gathered for the second wave of the attack.
Once the criminals have the information from an account, they send emails to the victim’s contacts that appear to be from the victim. This is a major reason this recent attack has been so successful; emails are coming in to second-wave victims seemingly from someone they know. The emails sent to the first victim’s contacts include a thumbnailed version of an attachment. When the email recipient clicks on the thumbnail, it doesn’t open the Gmail previewer. Instead, a convincing Gmail login box is displayed. Here’s the trap.
Generally with a hacking or phishing attempt made through an email server, corrupt content sends potential victims to a website that could be blocked by protections like Google’s SafeBrowsing system. That’s not the case with the newest scam. By clicking the attachment, second wave victims load a full web page worth of code into the browser’s address bar. This code can compromise your cyber security and your private information.
So, how do you protect yourself from this newest threat to cyber safety? There are a few proven steps you can take to block foreign access to your Gmail account. First, enable the two-factor authentication feature in Gmail. Doing so means that would-be-phishers would have to have access to both your password and your secondary authentication key, whether that’s your phone number or a USB cryptographic key. This stops phishers at the door, so to speak.
The second step is to always look for the lock icon on the address bar when you’re surfing the web. This feature lets you know visually that you’re in a protected site. While this feature is not foolproof, as many hackers have found ways to replicate the check, it’s still a good idea to keep an eye on it while you’re online.
Does this scam sound familiar? If you think you’ve been a victim, there are two additional steps you should take to protect yourself going forward. The first is to change your Gmail password right away. Once that’s taken care of, navigate to the Gmail account activity page. This page will show any current sessions that are logged-in using your account. From here, you can kick off any bogus users.
Yes, it’s a bother, but better safe than sorry when it comes to your privacy – and that of your friends and business associates.
Cover Image: notoriousxl / Flickr