Don’t Fall for This New Gmail Phishing Scheme
If you receive an email from Google that looks like a legitimate security alert, do not proceed. Fraudsters are exploiting vulnerabilities in Google’s authentication protocols to send phishing emails that appear convincing enough to steal the credentials of unsuspecting users. Here’s how to protect yourself.
How Google’s New Phishing Scam Works
As Android Authority reports , a developer named Nick Johnson recently became the victim of a phishing email with the subject line “Security Alert.” The message was sent from no-reply[at]accounts.google.com and signed by account.google.com, making it appear to be a legitimate email directly from Google. However, the message led to a fake Google support page hosted on site.google.com, which prompted visitors to “download additional documents” or “view the case.” This ultimately led to the creation of a fake login page that asked for account credentials, where scammers then collected the victim’s Google login credentials.
According to Johnson, there are a couple of vulnerabilities that make this scam possible. Google allows users to host sites on the google.com subdomain through Google Sites, which gives the website an appearance of legitimacy. The attackers registered a domain and associated it with a Google account, then created a Google OAuth application with a phishing email as the application name. Once OAuth accessed the Google account, it was signed by Google and sent to the victims. Please note that although the email was signed by account.google.com, it was sent from an email address sent from Privateemail.com.
This isn’t the first time a phishing scheme has originated from a seemingly legitimate email address, making it harder for users to spot the spoof. Earlier this year, scammers used PayPal settings to send fraudulent purchase notifications from [at]paypal.com.
How to recognize and avoid phishing emails
Phishing emails are harder to detect if they come from a real or recognizable email address (at least at first glance), since misspelled fake addresses are the first sign of a scam. Generally speaking, you should think twice before sending any message that is urgent or emotional, even if it appears real.
If you receive an email like this from a company you know and use , and the message appears legitimate, do not click on the links or download the attachments. Go directly to the company’s website by entering the URL and check official social media accounts or customer service channels for any alerts related to the message you received, especially if the email is related to security or account recovery or your personal information.