Gmail users are being targeted by a new phishing scam that has been fooling even the most informed tech enthusiasts.
As Mark Maunder, CEO of Wordfence, explains, users are being sent an email with an attachment, which when clicked, opens a new window to what looks like a Gmail login page.
The page is, of course, a fake, and entering your login details will immediately send them to the hackers behind this latest email scam.
But what’s most troubling about the email is that the hackers have managed to make it look like it comes from one of your own contacts – i.e. someone they’ve already hacked.
The subject of the email will likely be based on a subject you’ve discussed with the contact previously, and the name of the attachment will probably have been given a convincingly familiar title.
What’s more, the URL that opens when you click the attachment looks very similar to the legitimate Google login page address.
While the official URL is “https://accounts.google.com/ServiceLogin?”, the fake address appears as “data:text/html,https://accounts.google.com/ServiceLogin?”
The convincing login page looks almost identical to the official version, too, making this a particularly effective hoax.
If you’re worried you may have received one of these emails, there’s a few things you can do, starting with making sure the login page URL is legitimate.
If the address begins with “data:text”, or if there’s any text other than “https://” before the “accounts.google.com”, it’s not the real deal and you should close the page immediately.
The “https” part of the URL should also be green and appear next to a lock symbol if the page is legitimate.
Google responded to Mauder’s post with the following: “We’re aware of this issue and continue to strengthen our defenses against it.
“We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more.
“Users can also activate two-step verification for additional account protection.”
Two-factor verification will make it harder for anyone to log into your Google account by sending a verification code to your phone, and can be enabled by visiting this page.