If you receive an email from Google that appears to be a legitimate security alert, do not proceed. Scammers are taking advantage of vulnerabilities in Google’s authentication protocols to send phishing messages that appear convincing enough to steal unsuspecting users’ account credentials. Here’s how to protect yourself.
How this new Google phishing scam works
As Android Authority reports , a developer named Nick Johnson was recently targeted by a phishing email with the subject line “Security alert.” The message was sent from no-reply[at]accounts.google.com and signed by accounts.google.com, making it seem like a legitimate email directly from Google. However, the message led to a fake Google support page hosted at sites.google.com, which directed visitors to “upload additional documents” or “view case.” This ultimately led to a fake sign-in page that asked for account credentials, where scammers would then collect the target’s Google login credentials.
There are a couple vulnerabilities that make this scam possible, according to Johnson. Google allows users to host sites on a google.com subdomain via Google Sites, which makes the website look legitimate. The attackers registered a domain and linked it with a Google Account, then created a Google OAuth app with the phishing email as the app name. Once OAuth had access to the Google Account, it was signed by Google and forwarded to victims. Note that while the email was signed by accounts.google.com, it was mailed by an email originating from privateemail.com.
This isn’t the first phishing scheme to come from a seemingly legitimate email address, making it trickier for users to spot as a fake. Earlier this year, scammers exploited PayPal settings to send fraudulent purchase notifications from service[at]paypal.com.
How to identify and avoid phishing email scams
Phishing emails can be more difficult to catch when they originate from a real or recognizable email address—at least on the surface—as fake addresses with misspellings are the first giveaway of a scam. Generally speaking, you should think twice before engaging with any message that has a tone of urgency or evokes an emotional response even if it looks real.
If you get an email like this from a company you know and whose services you use and the message appears legit, don’t click any links or download any attachments. Go directly to the company’s website by typing in the URL, and check official social media accounts or customer service channels for any alerts related to the message you received—especially if the email has to do with account security or recovery or your personal information.
