Malware, ransomware and data breaches are just a few of the digital threats that we're constantly warning you about. We stay on top of these threats to help keep your information safe.
That's why we've been telling you about a Gmail phishing scam that's been fooling people for several weeks now. People are still falling for the scam, but there is a fix available that you need to know about.
Why this phishing scam is so effective
This attack is just very convincing. Gmail users are receiving emails from people in their contacts list who have already been hacked.
The fraudulent email looks even more authentic because the scammer goes through the senders' messages to find a topic that you are probably familiar with.
Think about this: Getting an email from someone you know, talking about a familiar topic makes it more likely for you to lower your guard and fall for the scam.
Inside the fake email is what looks like a PDF attachment. In reality, this is a malicious link. Once you click on the image, a new tab will open and you will be asked to sign in to Gmail again.
The location bar of the fake sign-in page is even tricking people. It contains the accounts.google.com/ServiceLogin, which is expected. However, the beginning of the location bar has items in front of the https: that should not be there.
Be sure to notice the text in the link so you know what to look for and not be scammed!
The prefix data:text/html gives away the fact that this is a fake webpage. (Image source: Wordfence)
As you can see in the image above, the location bar contains data:text/html in front of the https:. Some people are missing this fact and trusting the site because the accounts.google.com/ServiceLogin looks correct.
Then, the scammers take it a step further. They have created a sign-in screen that looks very official. Look at the image below.
If you sign-in to this page, you're done. The cybercriminal has your login credentials and your account is compromised.
The scammer now can control your email address and can use it to access other websites associated with this account. It's a very authentic phishing attack.
What has Google done to fix the problem?
Google has countered this phishing scam with a recent update to its Chrome browser. If you're using Google Chrome and land on a page containing a phishing attack, a warning will appear in the browser's address bar.
The warning reads: Not secure. If you see this warning, immediately close the page.
For your Chrome browser to have this added security feature it must be up to date. Here are the steps to make sure you are running the latest version of Chrome on every gadget:
- In the top-right corner of Chrome, click the Menu button >> Tap Update Google Chrome. If you don't see this button, you're running the latest version.
- Click Relaunch. Your tabs and windows will be saved. If you'd prefer not to restart right away, click Not Now. The next time you restart your browser, the update will automatically be applied.
- Chrome should automatically update based upon your Google Play Store settings.
- To check that you have the latest version, open the Play Store.
- Tap the Menu >> My Apps and games.
- Apps with available updates are listed under "Updates."
- If you see Chrome in this list, tap it to install the update.
- Chrome should automatically update based upon your iOS App Store settings.
- To check that you have the latest version, open the App Store and tap Updates.
- If you see Chrome on the list, tap Update to install.
- If asked, enter your Apple ID password. The updates will download and install.
If you're not using Chrome as your browser, you are still at risk of falling for this phishing scam. Follow these suggestions to help stay safe from phishing attacks:
How to defend against phishing scams:
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software - Having strong protection on your family's gadgets is very important. The best defense against digital threats is strong security software.