I’m sure there are lots and lots of these making the rounds at any given time. However, given that a client of ours was recently hijacked with a rather convincing-looking phishing scam, I felt it appropriate to publish this as a courtesy.
This one came in the form of an email. The message came from someone she knew, and it had a personal tone that made it seem a little more convincing than usual. Also, it contained the usual email signature of the sender (complete with their usual “sign-off” phrase, logo, contact info, etc.)
The subject line of the message making the rounds right now reads:
Please check out the document a very useful document that I believe we can all gain from.
If you see one like this, typically you’ll see that you were a bcc recipient. The message that got her had a body that read as follows:
I tried to get these document across to you before. Did you ever get it? VIEW HERE and sign on with your email to access it as attached on Google.doc, get back to me so we can discuss.
There were a couple of fonts in the message, so it was poorly formatted. The “VIEW HERE” phrase was linked to a website that looked like this:
Clicking on any of the logos opens a small box that seems very official looking and you’re invited to enter your email address and password.
In the case of our friend, this all happened to her several days ago. She ultimately thought nothing had happened… until today. What tipped me off was that I got a message from her. I knew right away that it was a scam (the .ru domain name was a big clue), so I checked with other members of our team… and some had received the message and fallen for it.
Today, she found that after several hours of working, she suddenly couldn’t login to her Google Apps (corporate Gmail) account any more. This caused her to panic. So did the phone call from their corporate banker, who had been getting email requests for various bits of account information (including current balances, etc.). Thankfully, their banker refused to provide info via email and was kind enough to pick up the phone. Others may not be so lucky.
When In Doubt… Don’t
So like I said earlier, I’m pretty sure that there’s a new “flavor of the day” scam running at any point in time. So here are a couple of pointers that may help you:
- Don’t enter your email address & password into unknown websites. This particular one showed a lot of official-looking logos, so it seemed convincing. That’s why you always want to…
- Double-check the address of the website you’re visiting. This particular domain name was “stroymir-nf.ru” — and boy if ever anything screamed “I’m a Russian criminal,” this one does. But the little “Copyright 2013 Google” at the bottom might be enough of a distraction to keep you from noticing your browser’s address bar. So… always double check.
- Remember: You shouldn’t have to login to view a Google Doc if you’re already logged into your Gmail account. This goes for Google Apps users as well, of course. Google docs will automatically open for you because you’re already authenticated in your web browser. If you have to enter your Google account info again, it’s a red flag.
What If I Did It Before I Realized What I Was Doing?
If you enter your Google (or other) account info into an unknown website like this one before you realize it’s a scam, immediately go change your password. This is a pain, I know it. But you’ve just given away the keys to your personal kingdom, so you need to change the lock.
In our client’s case, she got kicked out of her Google account 3 days later when the thieves got around to trying to make use of her information. Thankfully, hers was a Google Apps account, and the domain administrator was able to reset her password for her, which effectively kicked the Russian crooks out of her account.
Which brings me to another important point: set up two-factor authentication for your Google account. It’s a little bit of an inconvenience, because it means that you have wait for Google to text a code to your mobile phone before you can log in to your account on a new browser or device, but it’s worth the short delay and the extra step because anyone trying to get into your account will also have to have your cell phone in order to get in. If you haven’t done this yet, now’s the time. Here’s more info about Google’s two-step verification process, including a guide to getting it set up for your account.
Something else you’ll need to do is check the apps and websites that are authenticated to access your Google account and revoke access for anything that looks unfamiliar or even remotely fishy.
Questions? Post ’em in the comments here and I’ll do my best to tackle them for you.