A Gmail scam that seems so authentic, it’s even tricking some of the most experienced security experts.

Yet another effective phishing scam is being distributed to users inboxes, it’s so effective that even security experts are admitting to it almost fooling them. Mark Thaunder, boss of WordPress security plug-in WordFence, discovered the scam and said it is having a “wide impact even on experienced technical users”. What makes the scam so effective is how an email appears in user’s inbox from one of their Gmail contacts, asking them to click on a link that directs them to a very authentic looking Gmail login page. Signing in would give scammers full access to the users Gmail account and also help scammers distribute the scam even more.

How did Mark Thaunder spot that it was a scam?

Although the page that Mark was redirected too was almost identical to a Gmail login page, he was experienced enough to check everything before signing in. What didn’t fool Mark was the URL of the page he was redirected to. Firstly, there was no green padlock before the address. The green padlock identifies all websites and pages that are verified as safe, something that all major websites corporations like Google, Facebook. Amazon etc. will have. Secondly, the URL for the Gmail login page always begins with ‘https://accounts.google.com’. Mark spotted that the URL of this particular page was ‘data:text/html,‘https://accounts.google.com’ confirming that this was not a genuine Gmail login page. See below an example of a safe URL…

hacker

What can you do to prevent being scammed?

Google have confirmed that they have recognised the scam and are working to strengthen defence against it. For now, they have asked all Gmail users to activate ‘two-step authentication’ which sends users a text or an email to a secondary account to confirm activation on a new device. You should also ensure you are taking all the correct security steps when clicking on links or downloads from emails;

  • Do you recognise the senders address?
  • Can you spot any spelling mistakes or bad grammar?
  • Before clicking on any links, hover your mouse over them, do you recognise the address?

 

To learn more on Phishing scams and how to be aware of them, make sure you check out the Cyber Wise website. Our blogs and alerts will keep you up to date with all the latest phishing scams and attacks, and will teach you how to identify potential dangerous emails.