gmail phishing scamLast week, news broke about a phishing attack targeting Gmail users. It’s said to be one of the most sophisticated phishing campaigns in the past year, as even several tech-savvy individuals fell for the scam. What do you need to know to keep yourself safe from this scheme? Continue reading as we break down the details behind this phishing scam, tell you exactly how to avoid it and note important cybersecurity takeaways for consumers.

What is known about the Gmail attacks?

On Thursday, Jan. 12, Mark Maunder, CEO of the cybersecurity company Wordfence, wrote a blog post detailing the phishing attack. The campaign is apparently one that has been ongoing over the course of the past year and has likely affected a broad range of demographics, according to the post. Then on Tuesday, Jan. 17, Google released a statement, which was added to Maunder’s post, stating it was “aware of this issue” and will “continue to strengthen [its] defenses … ” While the orchestrators of the Gmail phishing campaign or their goals are unknown, there is something all Google users should know: all Google accounts use the same login information across services, meaning that this attack could compromise anything from a users’ Google history or Drive files to their YouTube account and email. The attacks seem to be part of a mass generic attack, but what is most interesting is that the attacks’ sophisticated nature resembles that of a spear phishing campaign where a single group or an individual is targeted and duped with information that’s personally relevant to them.

How does the Gmail phishing scam work?

The attack has been purported to send victims emails from their friends, likely friends who themselves became phishing victims. A student who fell victim to this scam elaborated on how it worked. He stated that once someone is compromised, the phishers comb through victims’ emails in order to harvest actual names of attachments, subject lines and email signatures. They then use these to construct extremely plausible fake emails for new victims, who are likely individuals that have had contact with the victim regarding some of the contents contained in these fake messages. Information shared by another victim seems to corroborate these details.

The phishing email sent to victims contains a PDF “attachment” that is actually an image embedded into the email that contains a malicious link. Clicking on the fake attachment sends users to a fake Google login page, with the kicker being that the browser is forced to display the URL as an HTTPS URL. We’ve talked in-depth about how HTTPS pages are more secure than standard HTTP pages, which is still the case; however, it seems now that hackers are using this knowledge to their advantage. At least one of the tech-savvy victims says he fell for the scam, partly because he saw the HTTPS in the URL bar of his browser.

How can you protect yourself from this and similar scams?

As frightening as the Gmail phishing campaign might be, users of Gmail accounts and other potential victims of another phishing scam have a number of ways to ward off these attacks.

1. Make sure the page contains authentic HTTPS encryption. Although we mentioned that this phishing scheme imitated a secure HTTPS page, Greggman (the victim mentioned above) notes on his page there were telltale signs that the “https” marker was inauthentic. While the URL had HTTPS, it began with something other than HTTP or HTTPS. URLs always begin with either http:// or https:// as shown below:

Gmail phishing

Second, the browser did not display a padlock or have any green coloring. If a website is using HTTPS encryption, then it will likely have either a green padlock (as shown above) or the color green along with the name of either the website owner or its certificate authority. The display differs slightly from browser to browser, but the idea of using the color green and/or a padlock is fairly universal between browsers. For information about the warning system or malware protection your specific browser uses, visit the Settings section of your browser.

2. Be leery about login/sign-in pages (especially after redirects). Fake sign-in pages are the bread and butter of phishing schemes. While sign-in pages alone shouldn’t arouse suspicion, you should be wary of links that direct you to a sign-in page from your email or an unrelated website. You should only sign in through links that you naturally navigated to yourself — meaning you typed in the URL or found it through a trusted search engine. If clicking on an attachment or link, especially in an email, leads you to a sign-in page, you should proceed with caution, as it may not be the authentic page you intend to visit.

3. Use Two-Factor Authentication (2FA). Although there has been some concern about the security of this method, the fact of the matter is two-factor authentication is single-handedly one of the best tools you have for preventing unauthorized account access. Two-factor authentication means that you have to have two conditions met to log into your account. First, your password must be correct, and second you’ll have to confirm your identity through a secondary method like a code texted to you. Since this form of verification relies on another device or connection to verify your identity, without physical access to this, it’s much harder for someone to gain access to your account. Similarly, if your password is ever leaked through a phishing scam, data breach or otherwise, you’ll be alerted with a verification code — if you didn’t initiate it, it’s a dead giveaway that someone attempted to hack your account and you should change your password immediately.

4. Check in with contacts. If there’s an email that makes you do a double take, instead of trying to figure out its authenticity on your own, you should simply contact the party the message purportedly came from and ask if they sent it. Even though there may be instances when it’s a little awkward, simply calling or sending a new email to the sender (not replying directly to the message in question) can help save you a lot of trouble in the long-run.

What are the general takeaways?

Scams are a near ubiquitous part of the Internet experience, but you don’t have to fall for them. There are three critical lessons that all consumers should learn from this Gmail phishing scam. First, not all attachments can be trusted even if they’re sent from someone you know, which is why it’s always best to check with the person before you open if something looks off. Next, checking for HTTPS is not always enough, as you’ll want to make sure you look at the whole URL and confirm that it starts with http:// or https://. Finally, two-factor authentication is a helpful safeguard that makes it much harder for thieves to make off with any of your information. Another thing to keep in mind is the type of browser you’re using — make sure you are using a modern, up-to-date browser that is capable of warning you when a page is lacking an authentic HTTPS connection through icons like padlocks, which were mentioned above. These lessons are not just important for fighting this phishing scam, but also for fighting many other types of online threats.

For more information about phishing scams and cybersecurity, follow our technology blog.