If you have a Gmail account, you need to be aware of a scary new scam that’s tricking people into handing over their login credentials.
What makes this scam particularly scary is that the criminals have found a way to send it from someone in the victim’s contact list.
Beware of new Gmail scam that will steal your info
According to tech security site WordFence, the message comes from the email account of someone you know — someone whose account has already been compromised.
The email contains image attachments that appear to be PDF files, and when you click on the attachment, a new tab opens and prompts you to log into your Gmail account again.
The new tab then shows ‘account.google.com’ and appears to be a fully functioning and safe Google page — when in fact, it’s a fake scam site set up by hackers.
According to WordFence:
“The attackers log in to your account immediately once they get the credentials, and they use one of your actual attachments, along with one of your actual subject lines, and send it to people in your contact list. For example, they went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team.”
Once the hackers have access to your account, they can download your emails and access any other information stored in the account.
According to TechTimes, ‘The trick to identify the bug lies in careful scrutinization of the address bar. The bug hides in plain sight but doesn’t get detected, as most users think that the webpage is Google’s protected login page after seeing ‘accounts.google.com’ in the address bar.’
‘The hackers use a phishing method known as URI or data uniform resource identifier. The URI method is used to attach a data file in the location bar in front of ‘https://accounts.google.com.’ The data file ‘data:text/html’ is attached in front of the host name, which opens up the fake login page.’
How to protect yourself from the Gmail scam
Here’s what TechTimes suggests for avoiding this particular scam:
- Users should make sure that there is nothing in front of the host file name, and should verify the protocol and the host name.
- Also enabling the two-step authentication available for Gmail can stop the attack from taking place as the hacker would need the OTP (One Time Password) required for completing the login.
If you think you may have already fallen victim to the scam, change your Gmail password immediately. Then go to your account activity page and end any current sessions that you don’t recognize.
More tips to avoid common phishing scams
Phishing is a way for criminals to carry out identity theft by using fake websites, emails and robocalls to try and steal your personal information — including passwords, banking info, Social Security number and other sensitive data.
Here are a few ways to avoid these types of scams:
- When it comes to spotting potentially-dangerous websites, before you go to an unknown site, double-check the spelling of the web address/URL by first doing a search for it. The site could be a fake scam site, and in some cases, criminals have created fake sites by using common misspellings of popular websites.
- If you receive an email claiming to be from your bank or other company that has your personal information, don’t click on any of the links. It could be a scam. Instead, log in to your account separately in a new window to check for any new notices. You can also call the company directly to ask about the information sent via email.
- Don’t click on any links in an email you weren’t expecting. Do a search about whatever the sender claims to want or be offering you to make sure it’s legitimate. If you aren’t sure, do a search for the company and then call them directly.