Gmail phishing scam is nasty – what to do?

A lot of people have been getting suspicious looking emails in their Gmail today. There is a full fledged phishing scam that is most likely from a nation-state and is stealing information and installing malware on your computer. Take 5 minutes to read the tips below and 5 minutes to watch the video at the end of this article, so you can understand what to look for in malicious emails. The problem is always that at first glance the emails look like their coming from someone you know, but there are some clues. This topic always upsets me because this usually affects people that aren’t as knowledgeable on computers and the elderly. AARP regularly posts about ongoing scams.

scam emailAbout the scam

The malicious messages are coming from trusted contacts, asking them to open a Google Doc. As soon as the recipient clicks through, they are asked to give away permissions to an app imitating Google Docs, namely the ability to read, send, delete and manage email, as well as manage contacts. For the user, once they’ve clicked through, nothing happens. But the attacker is effectively given access to people’s Gmail. 

Google said on Twitter that “We are investigating a phishing email that appears as Google Docs. We encourage you to not click through and report as phishing within Gmail.”

It is not clear who created the spam email or how many people it has affected. But the name Russia has come up a few times. In a second statement, on Wednesday evening, Google said that it had disabled the accounts responsible for the spam, updated its systems to block it and was working on ways to prevent such an attack from recurring.

So what is the common “lay person” to do? How can you protect yourself?

Here is an example of things to look for.

email fraud example

1. First and foremost – Do not click, even when the email is from someone you know.

Even when you receive links from trusted contacts, be careful what you click. Spammers, cybercriminals and, increasingly, nation-state spies (Russia and China) are resorting to email attacks, known as spear phishing, which bait victims into clicking on links that download malicious software. So how do you know?

Here’s a set of red flags that tell you to be wary. Some basics include:

  • Bad spelling and/or poor grammar in an email claiming to represent a company, royalty, a prize agency, whatever.
  • Unsolicited commercial or personal request email. Do you even know of this company or person? If the name seems unfamiliar and you don’t recall ever signing up to the company or sharing details with this individual, be suspicious upon receipt of such an email.
  • Asking for money. Always start from the grounds that a request for money is to be treated with suspicion until proven otherwise. 
  • The email is full of promises to reward you. Promises of this type are rather personal; you should be very wary of such emails.
  • The email is from somewhere you don’t live, like Nigeria or Singapore and you either know nobody there or it’s not the email of anyone you do know there. 

There are even more ways to check for fraudulent email so go to this blog for good visuals and examples.

2. Turn on multi-factor authentication or also known as Two Factor authentication – sign up with Google here.

Google, banking and other other email services offer customers the ability to turn on multi-factor authentication. Use it. When you log in from an unrecognized computer, the service will prompt you to enter a one-time code texted to your phone. It is the most basic way to prevent hackers from breaking into your accounts with a stolen password.

multifactor authentication

Do I need to say it? Change your passwords … again!

3. Changing your passwords is vital

If you’ve been phished, change your passwords to something you have never used before. Ideally, your passwords should be long and should not be words that could be found in a dictionary. The first things hackers do when breaking into a site is use computer programs that will try every word in the dictionary. 

4. I’ve already clicked

Lastly, if you did click on the nasty link, you can go to your Google account settings here, which will allow you to revoke access to apps—including the fake Google Docs one.

If you do come across any fraudulent emails, you should report them. You report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.

You can also go here to Google and see current scams.

Keep your eyes open and your wits about. Watch this video to help you spot fraudulent emails.

Spread the word. Share this post!