Time to change your passwords, again. Well, if you’re a Gmail user anyway. A new phishing scheme, targeting Gmail users, aims to use your contact list against you by putting together a legitimate-sounding email from the contents of your inbox in an effort to compromise the accounts of your friends, family, and co-workers.
It sounds complicated, but the sophisticated attack is deceptively simple. Let’s start at the top. Just like any other phishing attempt, you’ll receive an email in your inbox, but it will look like it’s from one of your contacts — it will have details that other phishing emails don’t.
Instead of hawking male enhancement pills or fake package delivery notifications, this one will be from a friend or family member, it’ll include a plausible subject line and may include an attachment from that contact’s email box.
Clicking the attachment, which may be an image, will take you to what appears to be a Gmail login page. You input your information, and your account is immediately compromised. The scammers will then use your email address to try and hook another victim from your contact list, using the same technique.
Why is this phishing scam a bigger deal than the others currently out there? Well, Wordfence points out that it’s been around for about a year, but lately, experienced, tech-savvy users have been falling prey to this attack. Because it’s so custom-tailored, and because it’s a bit more subtle than other phishing attempts, it’s a tough one to spot.
After all, Gmail does a pretty good job of diverting dangerous emails from your inbox, but these ones come from your contacts, people who you likely know or work with, so they’re able to bypass standard spam protections.
Luckily, there are some surefire protections you can use. First, as is always a good idea, change your password, and enable two-step verification. Now would be a good time to start using a password manager like LastPass.
Now on to the actual phishing scam itself. If you click any link or attachment in an email and Gmail prompts you to re-enter your credentials, stop, and double-check your URL or address bar.
The beginning portion of the URL should read “https://accounts.google.com” but if it reads “data:text/html” before the HTTP portion of the URL, do not enter your credentials. Close the site, clear your cache, report the email, and change your password just to make sure.