GMAIL users have been warned to be vigilant after a recent surge in sophisticated scam messages.
A torrent of password-stealing attacks have been landing in inboxes – and Google has explained what to do if you receive one.
3
3
There has been a particular uptick in phishing-style attacks, where scammers pretend to be legitimate companies and ask you for sensitive details.
The tech giant reassured customers that even if you get locked out of your account, you have up to a week to regain access.
All users need to do is make sure they have a recovery email address or phone number registered with their account.
This will allow them to change answer security questions and verify their identity in order to change their password.
Google urged all their users to check their accounts and make sure they have the backstop measures in place.
It released a public service announcement just weeks after issuing a “red alert” over an “extremely sophisticated” attack targeting its users.
The phishing scam was first reported by Nick Johnson – a developer at the Ethereum crypto platform.
He shared a screenshot of an email seeming to come from a legitimate Google address, claiming he’d been served a subpoena and needed to give up access to his account.
A Google spokesperson said: “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.
“In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
Johnson reported that when he clicked on the link it took him to a “very convincing ‘support portal’ page”.
He continued to follow the process, clicking “Upload additional documents” and “View case”.
Both of these took him to exact replicas of real Google pages – where he was asked to sign into his account.
Johnson explained: “From there, presumably, they harvest your login credentials and use them to compromise your account.
3
“I haven’t gone further to check.”
He noted that the malicious email even passed various of Google’s checks, used to verify it hadn’t been altered on its way into the inbox.
Google is usually good at flagging suspicious emails, but this one was shown without warning.
Johnson added: “It even puts it in the same conversation as other, legitimate security alerts.”
Google said that it has shut down the mechanism that allowed this method of attack to work, and recently shared guidance on spotting and avoiding email scams.
The tech giant reassured users it fixed the weak spot mechanism that allowed the method of attack to work.
It also provided guidance on spotting and avoiding scam emails.
The company said: “Google will not ask for any of your account credentials — including your password, one-time passwords, confirm push notifications, etc. — and Google will not call you.”
