Gmail users have been hit by a torrent of phishing scams in recent months — but Google says don’t panic if you fall for one.
Even if you’re locked out of your account by one of these password-stealing scams, the tech giant says you can still regain access for up to a week.
Users simply need to make sure they have a recovery phone number or email configured in their accounts, which will enable them to answer security questions and confirm their identity.
So anyone who doesn’t have these backups enabled should do so now, says Google.
The public service announcement comes just weeks after Google confirmed a ‘sophisticated’ attack targeting all of its 1.8 billion Gmail users.
The phishing scam was first reported by Nick Johnson, a developer for the cryptocurrency platform Ethereum.
Johnson posted a screenshot of an email that seemed to originate from a valid Google address, asserting that he had received a subpoena and was required to surrender access to his account.
A Google representative informed DailyMail.com: ‘We are aware of this type of targeted attack from this threat actor and have implemented protections to close this path for misuse.’
Google has created a way for you to regain control of your hacked Gmail account — but you only have seven days to act
The phishing scam was first reported by Nick Johnson, a developer for the cryptocurrency platform Ethereum
‘In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.’
Johnson said clicking the fraudulent link in the email took him to a ‘very convincing ‘support portal’ page.’
He then clicked ‘Upload additional documents’ and ‘View case,’ and both links took him to ‘exact duplicates’ of legitimate Google pages.
These pages asked Johnson to sign into his Google account.
‘From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check,’ he explained.
He noted that the nefarious email passed the DKIM signature check, which is used to verify that parts of an email haven’t been altered on its way to your inbox, and that Gmail displayed it without any warnings.
‘It even puts it in the same conversation as other, legitimate security alerts, he added.
Google said that it has shut down the mechanism that allowed this method of attack to work, and recently shared guidance on spotting and avoiding email scams.
‘Google will not ask for any of your account credentials — including your password, one-time passwords, confirm push notifications, etc. — and Google will not call you,’ the tech giant said.
Phishing attacks aim to get users to share their personal information with hackers, which they can use to steal victims’ identity or money (STOCK)
Phishing attacks like this one aim to get users to share their personal information with hackers, which they can use to steal victims’ identity or money.
The goal is to make the devious message appear as legitimate as possible to trick users into believing they’re sharing their information with a trusted entity.
That’s why the hackers behind this Gmail attack used Google Sites to craft their scam, ‘because they know people will see the domain is http://google.com and assume it’s legit,’ Johnson explained.
Phishing messages typically use a generic greeting, inform you that there is an urgent issue that cannot be resolved without your action, and invite you to click on a link
If you use a password to log into your Gmail account, then unwittingly share it with a hacker, there’s nothing stopping them from breaking in.
It’s as simple as using your password and a 2FA code on their own device to access the account.
But using a passkey and 2FA makes it much harder for hackers to break in.
A passkey is a system-generated, highly secure login code cannot easily be guessed, stolen or phished.
It only works on the physical device it’s linked to, which means hackers can’t use it to gain access to your account on their devices.
In addition to swapping your password for a passkey, you can learn to spot the telltale signs of a phishing attack to protect your online accounts.
Even though these scams are getting harder to identify, there are some details that will give them away.
Phishing messages typically use a generic greeting, inform you that there is an urgent issue that cannot be resolved without your action, and invite you to click on a link.
While legitimate companies like Google may communicate with users via email, they won’t send you a link to resolve issues like updating your login or payment information.
