The Google Phishing Scam: How to Protect Your Data

A recent Google Phishing scam hit headlines after a number of Gmail users had their accounts compromised by a worryingly sophisticated email scam. Users were tricked into clicking an email that took the user to a real Google account selection screen, and after selecting their account, a “Google Docs” window would appear, requesting permission to read, write and access emails.
By granting “Google Docs” permission, the document was revealed to be published by a random Gmail account, and the holder of the account would now have access to the affected account. What they thought was “Google Docs” was in fact a malicious third-party web app, and scammers now had access to user emails, and could send more scam emails from the victim’s account.
The most worrying aspect of this phishing scam was that the scam worked within the existing Google login system, it bypassed the two-factor authentication and was only noticeable as fake after clicking the link. The scam took advantage of the fact that fake applications named “Google Docs” can be created, and since the scam didn’t require victims to type in their passwords, the usual anti-phishing measures didn’t block it.
The scam exploited Open Authorisation (OAuth). OAuth notifies a resource provider that the resource owner grants third-party access to their information. An example of this would be Facebook (resource provider) being notified that you (resource owner) are allowing a third-party (a Facebook application) to access your information (your friend list). There are a multitude of online services that use OAuth, and it’s impossible to vet all the third-party applications that use it.
Fortunately, the scam was detected and dealt with quickly by Google within an hour. A company statement assured users of the following:

• Offending accounts had been disabled
• Fake pages and applications had been removed
• Updates were being pushed through Safe Browsing, Gmail, Google Cloud Platform, and other counter abuse systems

The scam ultimately affected around 0.1% of Gmail users, which equates to about one million users out of Gmail’s one billion active users.
Phishing scams of this scale are relatively rare, and therefore make headline news. However, phishing attacks are all too common and it’s worth taking preventative measures to ensure that your account isn’t compromised.
How to Protect Yourself from a Phishing Scam
Phishing emails are typically designed to fool the victim into giving away their personal information, or installing malicious software. Luckily, there are a few easy ways to spot a phishing scam:

1. Bad spelling and grammar is often seen in phishing emails, and a legitimate company with hired copyeditors would never release such an email. Big brands care about their reputations, cyber criminals don’t.
2. Never click an unknown link. If the email encourages you to click on a link to ‘fix’ a problem or to ‘claim’ a prize, hover your mouse over the link and look at the address. If the link looks unusual, a way to test the legitimacy of the link would be to manually type it into the address bar in a new window—if the URL takes you to a different address from the one you’ve typed, it’s fake
3. Analyse how the sender addresses you. Legitimate companies like to be as personable as possible and often will address you by your name, not by vague titles like ‘Valued Customer’.
4. If the language is threatening or urgent, and claims that your account has been suspended, has had unauthorised logins attempts, or will be closed if you don’t act, it’s most likely a scam. Scammers often try to inject a sense of urgency to make you act before thinking.
5.  Always scrutinise email attachments. While you might be expecting a file from someone, make sure to check the attachment for anything suspicious. It’s very easy to download malware that damages files on your computer, steals your passwords or spies on you without your knowledge.
6.  Make sure to check the address bar. Even if you’re sure the sender is legitimate, make sure to check the address bar if you click on a link. While a scammer can create a convincing login page to trick you into giving away your password, a quick glance at the address bar should tell you if the website you’re on is genuine.
7. Double check, if you can. While you may be able to recognise a phishing scam at home, recognising one at work is just as important. Scammers can easily pose as a highly ranked member of an organisation and send fake emails to employees asking for personal information. This kind of personal information can easily be used for fraud, so try to check if the email is genuine by contacting the sender themselves if possible.
8.  Don’t trust email headers. An email header can be forged with a brand name, and scammers can easily make a fake ‘From’ address similar to a real company.
9.  If the message asks for personal information, never give it up. No matter how official or genuine an email may look, companies would never ask for personal information via email. Asking for account numbers, passwords, or the answer to a security question would never happen with a trustworthy company.
10. A lack of information about a sender can be a tell-tale sign of a fraudulent sender. Companies tend are keen to hear from their customers and always leave contact details.

This list is by no means exhaustive—phishing scams have become increasingly convincing, and scammers are always evolving new ways to hit unsuspecting users. Email phishing is the number one delivery vehicle for malware, and in 2015, 85% of organisations were victims of phishing attacks and 30% of phishing emails were opened! Having the intuition to spot scams is an excellent way to protect yourself and others from losing personal information and other sensitive data.
But regardless of how vigilant you might be when inspecting your emails, mistakes do happen and the most convincing scams often fool even the savviest of tech users. Our next post will cover the next steps should your system fall prey to a phishing scam, with tips on how to locate the affected account, and investigate what data has been accessed.