Sign in with
Sign up | Sign in

Don't Fall for This Google Drive Phishing Scam

By - Source: Tom's Guide US | B 2 comments
Tags :

Usually, you can tell a legitimate Google notification from a phishing scam by reading the URL's domain name — a message that redirects you to a non-Google address is sure to be a scam. However, a sophisticated phisher has come up with a method of stealing Google login information by using the company's own servers against it.

Sunnyvale, Calif.-based security firm Symantec discovered the phishing attempt and reported the incident on its blog. The scam comes in an email titled "Documents," and encourages users to click on an included link to check out an important message on Google Drive.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

This link leads to a login page hosted on a bona fide Google URL, complete with secure sockets layer (SSL) authentication. The login prompt is identical to that of a real Google site, inviting users to sign in for "One account. All of Google." Those who log in get access to a Google Drive document which says nothing of great import.

Of course, the document isn't the point; the point is that the phishers now have access to a user's Google account. This gives them access to Google Drive documents, private email and, perhaps most damning, payment information for Google Play.

The trick works because the lure document is actually hosted on Google Drive. Combined with the convincing login page, this trick could theoretically fool the tech-savvy as well as the uninformed.

Still, cautious users would still spot a few red flags in this otherwise-clever scam. First of all, the email itself does not come from an official Google email address, even if its preferred display name indicates otherwise. Clicking on links embedded in emails is also generally a bad practice, although in this case, even copying and pasting it would still bring a user to a "verified" Google page.

If you get an email message purporting to come from a big organization such as Google, it's generally a good idea to check the content of the email against the company's official blog or Twitter feed. A company will rarely institute policy changes without informing its users on a grand scale.

Don't feel too bad if you got taken in by this one, but do change your password as soon as possible, and consider implementing two-step authentication for your Google account.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

Discuss
Display 2 comments.
This thread is closed for comments
  • 1 Hide
    skaputnik , March 17, 2014 11:43 AM
    And on the top of that, if you receive an email on your gmail, prompting you to go to the Google Docs, no password will ever be asked, once you are already logged in, right?
  • 1 Hide
    Pherule , March 17, 2014 12:34 PM
    Online services can't seem to get this right though. I've often been logged in to my Google account, try to comment on Youtube or elsewhere, and some crap comes up asking me questions first or my password.No Google, I don't care if I haven't used the account for 90 days. I'm still logged in, I never logged out. Nobody else uses my computer so don't bleddy log me out without asking me first.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter