How Spam Emails Can Be Used to Steal Your Gmail Password

spam steal gmail password

Having a strong, unique password is not always enough to protect your Gmail account against cybercriminals. The research shows you cannot always rely on Two-Factor authentication either, so you may wonder what it takes to keep email secure. The answer is: staying alert. Last year, Google carried out research that revealed most accounts get compromised because of phishing scams. Phishing is a form of social engineering, which means cybercriminals do not need to steal any passwords. Instead, they only need to convince their victims to reveal such sensitive data themselves. Therefore, it seems to us, knowing hackers' tactics or in other words understanding how they might trick you is the best way to stay safe. Consequently, in this blog post, we will present a couple of examples of Google phishing attacks that happened in recent years and provide you with other useful information, which should help you keep your account secure.

What are phishing attacks and how do they work?

A phishing scam is an attempt to make the user reveal his sensitive information without even realizing it. Usually, scammers pretend to represent some reputable company, for example, a bank institution or targeted victim's email provider. Mostly, it depends on what information the hackers wish to obtain. Next, the cybercriminals need to come up with a reason why the user should provide their sensitive data. For instance, in banking scams, hackers often claim the user's account was compromised, and he needs to submit his login information to verify his identity and protect the funds in it.

Examples of Google phishing attacks

A few years back cybercriminals were able to hijack some email accounts by sending potential victims phishing messages to their mobile phones. This phishing scam affected not only Gmail but also Hotmail and Yahoo users. Apparently, to be able to initiate it the hackers first had to learn the victim's email address and his telephone number. Next, they would ask Google to reset the targeted account's password by pretending to be its owner. To bypass Two-factor authentication, the cybercriminals sent their victims text messages claiming the user's email account might be hijacked and he needs to respond with his verification code. Unfortunately, some users fell for it and revealed the verification codes that Google sent to reset the password.

Moreover, a year ago some hackers managed to gain full control over users' Gmail accounts by tricking them into installing a fake Google Docs application and allowing it to access their emails. The scam was reported by a Reddit user who almost fell for it. It would seem what stopped him from accidentally giving his account away to cybercriminals was the fake Google Docs application's publisher, which appeared to be some random Gmail account. According to the Google's official statement, published in the mentioned Reddit post, this phishing scam affected less than 0.1 percent of Gmail users because the company took immediate action and its team was able to stop the attack in only one hour.

There were also recent reports about a Google phishing attack during which cybercriminals supposedly used hijacked accounts to send spam messages. The suspicions started after some users noticed spam messages in their Sent emails folders. Naturally, people started freaking out after seeing messages they did not write themselves and realizing changing the account's password did not work created even more panic. Fortunately, it appeared to be none of the accounts were compromised and the spam emails ended up on users' Sent folders because of Gmail's database glitch that made the system place spam messages in a wrong folder. The only hope is the confusion brought not only stress but also more awareness on phishing scams and how to act if you believe your account is compromised.

How to recognize Google phishing attacks and how to react to them?

As we mentioned, in the beginning, the key is staying alert. Never forget that your passwords, authentication codes, or other data alike is supposed to be secret and even the account's providers should never ask for it. Thus, if you receive an email, a text message, a phone call, or a pop-up advertisement asking you to provide any sensitive information related to your Google account or even hurrying you to do so, you should realize something is not right. Instead of handing in any information you should question whether the request is legitimate even if the website asking for your data looks authentic. Sadly, cybercriminals can create convincing copies of Gmail login page or Google text messages, so identifying fake content might not be easy. For more tips, you could continue reading our blog post called How to Spot and Avoid Phishing Scams. What's more, if you identify a phishing attack you should report it to Google at once so it could be stopped as fast as possible.

How is Google planning to prevent phishing attacks?

The company works hard to protect users' accounts from phishing scams, and it looks like they may have found a perfect solution. A few years ago, Google employees were given USB security keys, and since then no one from the staff fell victim to a phishing scam. It is often said Two-Factor authentication can secure the system because it allows logging into a particular account when presenting something only the user has. Unfortunately, the Google phishing attack example we mentioned earlier, in which scammers tricked users into sharing their security codes with fake text messages, proves there are exceptions. On the other hand, a physical key you would need to plug into your computer's USB port, could not be obtained this way. The idea sounds promising, and it is already supported not only by Google, but also Facebook, Dropbox, and other companies.

To conclude, we do not say using a strong password or enabling Two-Factor authentication could be useless. These measures may protect your account in cases when someone might try to hack it, but when it comes to phishing, you are the only one who can protect your privacy.

September 7, 2018