Things to Know to Avoid the Latest (Very Dangerous) Gmail Phishing Attack

Child in front od computer
credit: Twenty20

As internet users, we have to constantly be on high alert when it comes to online security. Even with security measures like two-step verification and strong passwords that no one will ever guess (which even you might have a hard time remembering), it's not always enough protection.

Video of the Day

You’re being targeted

There's a new phishing scam that has been targeting Google Gmail users recently, and experts are calling it "highly effective." Gmail users are being duped into divulging their login credentials, and they don't even realize they're doing it. The scam is so effective that even the savviest users are falling for it. Seriously: The attack is so legitimate-looking, it's very possible it might even fool you. And we know you're already pretty savvy.

Here's how it works

You receive an email from someone you know that contains what looks like an attachment. But it's not an attachment — it's an image made to look like one. When you click on it, it'll take you directly to a very convincing Gmail login page. But it's fake!

The entire scam was created by hackers to collect your password, compromise your Gmail account, and then use that access to compromise your other accounts and personal information, according to Forbes. If you fall for it, all of your personal information is at risk . But not just your info; the hackers then target your contacts and do the same thing to them. Except this time, the email will be even more believable because it comes from your account.

Twitter user Tom Scott posted an image of the attack, noting that even as a super savvy tech guy, he was almost fooled.

You might notice something seems off about the attachment in the email, but if you're distracted while checking your email (that's all of us, right?), it's very likely you'll fall victim to the scam as so many others have before you.

Remember: Whoever the email came from in the first place fell for it, so anything's possible.

How to avoid falling for the trick

Everything about the sign-in page looks completely authentic: the username and password entry fields, the tagline, and even the Google logo. But there's one clue that will tell you it's not legit: the browser's address bar.

The text in the address bar is called a "data URI," not a URL. A data URI is a link to a file, while a URL identifies a page's location on the web. So if you were to simply review the address bar, you'd see tons of characters, which is a script that creates a file designed to look like a Gmail login page.

A screenshot of an address bar
credit: Techwalla

"The best way to identify this attack is to look at the address bar," Satnam Narang, Senior Security Response Manager at Norton by Symantec, told Refinery29. "In this case, look for the words 'data:/text/html' at the beginning of the URL. If you see this, close the browser tab and alert your friend that their account has been compromised."

In a statement about the attack, a Google spokesperson told Fortune, "We're aware of this issue and continue to strengthen our defenses against it. We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."

Protect yourself with two-step verification

Two-step verification is helpful in fighting the hacker, because even if someone has your password, the Google verification code sent directly to your specific device would be needed to proceed with the hack. Find out how to set up two-step verification here.

In the meantime, be on the lookout suspicious emails. Your safest bet is to just avoid clicking on any attachments you aren't sure about, which is generally a pretty solid rule of thumb.

Show Comments