Attacks and schemes to steal our privacy and security are getting harder to spot and better at disguising themselves. No one is safe. Currently, a “highly effective” phishing technique is causing a stir and causing alarm to Gmail users, according to Wordfence, makers of security plugins.
Phishing is when attackers attempt to steal personal and sensitive information (usernames, passwords and credit card details) and use it for malicious purposes. Even scarier, the new phishing scheme in the news lately is so inconspicuous that it’s “having a wide impact, even on experienced technical users,” says Wordfence in a blog post.
Here’s how it works: First, you get an email in your Gmail. The email address is from someone you know. It comes with a PDF file attachment, and this is where it gets tricky.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh
The file is only made to look like a regular attachment. But, when you click it, instead of showing a preview of the document, it opens a new tab that contains a fake Google sign-in page. It looks exactly like Google’s down to font, color and entry fields. Clever!
Often, the site’s URL in the browser’s address bar will give it away that it's a fake site. Unfortunately for us, the attackers have thought of this too. Glance at the address bar and the fake sign-in page contains the familiar “https://accounts.google.com.” If you’re not careful, you won’t be able to notice that before the plausible-looking URL, there's this: “data:text/html.” And, far to the right is a long line of code. On some computers, this is pushed out of screen, and you’ll need to zoom out to see it.
Unaware that there is anything wrong, you type in your username and password and surrendering your details, and the entire content of your email to the attackers. The attackers will then look through past emails, attachments and other details to send out the scheme to the user’s contacts using the hijacked email. That is how you believe you received an email from someone you know know. So the scam spreads, growing bigger and bigger.
How do you keep your data safe? There are tell-tale signs to watch out for, as pointed out by experts. The trick is to keep them in mind whenever you’re online. Make them second nature. Teach them to the kids if they’re old enough too.
1. Check (and double check) the address bar. Whenever you’re asked to sign in anywhere, always check if the URL is correct. There are many phishing sites that are made to look like popular websites like Facebook and Amazon with just slight changes in the URL. For example, the URL can read "Facrbook.com." Did you spot the error? The typo ("r" instead of an "e") can be easily made when typing out the real URL in the address bar.
If you’re using Google Chrome, look for the padlock icon beside the URL. For big sites, it will be green in color and say “secure” right next to it. Of course Google sites will have this, so check for that whenever signing in.
2. Enable 2-step verification Basically, 2-step verification is when you use two “keys” to get into your account. The first is your password and the second is a code.
After entering your username and password, Google sends a code to your phone. The code is entirely unique to you, and you enter it during sign in. This protects you by asking for something you know (password) and something you have (phone). It’s simple yet effective, and Google makes set-up for it super easy. Find it here.
3. Monitor where your account is signed in. Did you know that there’s a way to check where your account is currently signed in? Go to your Gmail inbox and scroll down to the bottom. Look to the bottom right where you’ll find “Details” in small letters. Click it and it will show you your account’s activity including sign-in history and recent dates it was used. If there's a location or IP address you don't recognize, it may be time to worry. More info about it here.