Heads Up: Effective Gmail Phishing Scam Hitting Business Customers
Anyone with a little bit of tech savvy can detect a standard phishing scam - the email that it’s coming from isn’t related at all to the service, and the URL you are being directed to looks completely unrelated as well. Most of us just blow these away - if they don’t get caught in our spam filters first - and move on with our lives.
However, a new phishing scam which directly targets Gmail has fooled spam filters and phishing-spotting superstars, and it’s important for the security of your business that you be on the watch for it and know what Google will and won’t ask for from you to protect your account.
Phishing 101 - What Is Email Phishing?
For the people among us who can’t claim tech savviness, phishing is when a hacker tries to get your personal information through an email, ad or malicious site. You will usually have to click on something and manually enter information that you use to sign onto your Google account, your bank account or other private sites you may visit. With most phishing scams, you can tell it’s a scam because the email is from a sender unrelated to the service they are trying to direct you to (e.g. an email that is supposed to be from yourbank.com is actually from email@example.com).
Additionally, the information that they ask you for is something your service would never ask you for in order to log on to your account, and the URL of the page you are entering it on isn’t even on your service’s domain (e.g. what should be login.yourbank.com is actually yourbank.sassafrass.com). A good rule of thumb to follow is that if you have to login to a service by clicking on something, it isn’t usually legit. Only use conventional means to login to your account - in the case of Gmail that’s by typing gmail.com into your browser.
What Makes This Phishing Scam so Special?
This particular phishing scam is insidious because it contains an email that looks like it’s from a friend - only it’s not. Your friend’s account has been hacked. The hackers grab the contact list and fill their login page up with whitespace, making it look like it is legitimate with a google.com URL unless inspected very closely.
Avoid Getting Hacked with 2-Factor Authentication
The first step is to set up 2-factor authentication if you don’t have it enabled on your account yet. If you’re a systems administrator, this phishing scam is a great opportunity to force 2-factor authentication as being the only method that your Google users can log on to their accounts. This means you will require your password and another piece of information to log on to your account - it’s very simple for the user and stumps hackers. Google has a how-to guide to set it up here.
The other simple trick is to never log in to your Google account from a link you’ve clicked; instead, always type in the URL to your browser (e.g. gmail.com or drive.google.com) and log in that way. The only obvious excepti on to this is if you change your Google password and it immediately sends you a link to confirm; still, check the URL that you’re sent from Google and who the email is coming from to make sure it is legitimate.
If you are a G Suite systems administrator, Google has a helpful guide on how to keep your users from falling for phishing scams here.
If you would like to keep your email and other business software secure, contact UpCurve Cloud today. We’re experts at ensuring that systems are secure and your services can’t be compromised.