If you have a Gmail/Google sign in, listen up (and don’t open any attachments until you read on).
But even if you don’t have a Google login, this kind of technique could be used for other services so keep reading.
1. You get an email from someone you know. Of course, it only LOOKS like it’s from someone you know. Either their email account was hacked, or an email address was created in their name so it looks truly legit.
2. The email has an attachment that also looks for real. Something that appears to be a standard file format like a PDF or Word document. There’s even a preview of the attachment (see image below from Tom Scott).
Here’s where the scammers got extra clever: it’s not actually a preview, nor is it a real attachment. The “preview” is an embedded image that redirects you elsewhere on the web.
3. When you click on the “preview” you’re taken to a Google sign-in page to enter your username and password—BUT IT’S NOT THE REAL GOOGLE LOGIN PAGE.
It completely looks like the actual Google sign in page (image courtesy of Gregg Man), but when you enter your credentials they will be stolen. (And of course, once your account is stolen, the scammers can use your email account to keep their thievery going.)
What makes this scam extra sneaky is that, even if you glance at the web address (just like you should) it looks “real enough” to pass. Only if you look very closely will you notice the slightly odd prefix before “accounts.google”—and even then, those characters aren’t a giant red flag for most of us.
Seriously, this scam is so good, it’s even tricked folks in the tech industry.
What can you do?
- Stay vigilant. Sorry, but this is always your first line of defense. Scammers are always working to try and trick you, so you’ve got to stay on your toes.
- Update Chrome. Google has updated Chrome to help you spot fake forms like this by displaying a “Not Secure” warning when pages like this load…but of course there are other browsers. Take this opportunity to make sure you’re running current versions of all your browsers. Using the latest-and-greatest versions means you’ll benefit from any security patches and fixes.
- Turn on two-factor authentication. It may not be a guarantee against this scam (if you forget you have it set up and “sign in” anyway, it’s not going to help!), but it’s still a good idea in general. Two-factor authentication means you need a password in addition to an extra, unique code—usually sent via text or an app—to enter your account. Here’s how to do it with Google.
This scam has been popping up in the news here and there for months, but based on recent stories, it’s not going away. Keep your eyes open and stay safe out there!