Gmail Phishing Scams You Need to Know About
Google Account Security Checkup by Wesley Fryer via Flickr. Licensed under CC BY 2.0
See Infosec IQ in action
While Google has set up a war room to investigate and put measures into place to prevent Gmail phishing schemes, ingenious phishers are still finding loopholes.
Cunning Gmail phishing scams even fool the experts
Social engineering
Used to great effect by phishers, emotional manipulation of potential victims using tried and tested social engineering techniques is difficult to thwart. Cybercriminals take advantage of victims’ fears, wariness of authority, and instinct to follow the rules. In one Gmail scheme, a user is messaged to enquire whether they requested a password reset for their account. If they did not, the message tells them to respond with “Stop.” As the email address is not theirs, the user usually responds by obediently replying “Stop.” They are then asked to confirm this by replying with a verification code. What has really happened is that the attackers have requested a password change for a victim’s account and are now trying to get a patsy to get a genuine verification code.
Dubious domains
Detected by WordFence, this scam targets potential victims with an email to their Gmail account, which includes an attachment or image that appears to come from someone they know. In fact, it may well come from a compromised contact. When the user clicks on the image or open the attachment, the Gmail sign in page opens in a new tab and they are asked to log in again. Doing this gives up the user’s username and password to the hackers. To detect this scam, make sure that the domain name has nothing before the hostname – which should read ‘accounts.google.com’ - other than ‘https://’ and the green lock symbol. The “naughty” URL looks something like this: "data:text/html,https://accounts.google.com… ."
According to WordFence, even technical users have been fooled. The author of the blog post describing this scam, Mark Maunder, suggests that this attack is so effective because users do not notice the preceding text (bolded above): “In user interface design and in human perception, elements that are connected by uniform visual properties are perceived as being more related than elements that are not connected.” In this case, the entire URL is in black and white:
Ordinarily, Google highlights the “https” for a safe URL in green or in red for an insecure URL:
The dots do matter
James H Fisher unearthed an ingenious Gmail scam which is enabled by an obscure feature of Gmail called “the dots don’t matter.” This crafty scam nearly caused him to add his card details to someone else’s Netflix account. On receipt of an email supposedly from Netflix warning that his account was on hold, Fisher followed the link to update his payment details. Careful scrutiny showed that the card number displayed was incorrect.
“I finally realized that this email is to james.hfisher@gmail.com. I normally use Jameshfisher@gmail.com, with no dots. You might think this email should have bounced, but instead it reached my inbox, because “dots don’t matter in Gmail addresses.”
It could have been a genuine coincidence, considers Fisher, but more likely a scammer had taken advantage of this Gmail loophole in the hope that someone else would pay for his or her Netflix account. Says Fisher: “We teach people about ‘phishing’ due to emails from dodgy email addresses, but we don’t teach people anything about phishing due to emails to dodgy addresses. Nevertheless, the result is the same: the victim loses money to someone else.”
Google Drive
MailGuard was one of the first companies to spot a fake Gmail phishing email that leveraged Google’s online storage platform, Google Drive, in order to persuade victims into giving away their email username and password details. In this scam, an email originated from a real user who had already been compromised; the signature of the user was genuine - including name, job title and telephone number - and the user could be traced, e.g. to a real LinkedIn profile.
The email invited the recipient (usually a friend, colleague, or family of the compromised victim) to open a file which had been shared using Google Drive. When the recipient clicked on the file, they were taken to a landing page that invited them to sign in via a number of different email providers using their email username and password details. These details were then captured by the scammers and the recipient was presented with, quite literally and most confusingly, a blank page.
Lotto scam
In this scam, the victim receives an email claiming they have won a Google Lottery. The initial email is sent in an attempt to initiate a dialogue with potential victims by requesting they contact a claims agent directly to file their claim. In further correspondence they will be asked for personal details, or to pay a fee to release the funds. Google does not operate lotteries so mark this email as Spam and do not forward any personal information.
Google Hangouts
This type of scam operates by notifying potential victims they have been given a job with Google or another company. However, the potential victim needs to pay a training fee (or some other type of fee.) Naturally, the victim is asked to complete employment forms providing confidential identifying information. The victim may also be strung along in bogus interviews through Google Hangouts.
Tips from Google
When you get a suspicious Gmail email, Google has the following advice:
- Check that the email address and the sender name match.
- Check if the email is authenticated.
- Hover over any links before you click on them. If the URL of the link does not match the description of the link, it might be leading you to a phishing site.
- Check the message headers to make sure the "from" header is not showing an incorrect name.
Remember, Google or Gmail will never ask you for personal information like: social security numbers, passwords, bank details, your mother’s maiden name, or your birthday.
Where to next?
Have any of your accounts been compromised? You can find out on Have I Been Pwned.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Learn how to detect and prevent phishing attacks with realistic anti-phishing simulations from Infosec institute’s PhishSim™ application. It is also a fun way to get buy-in to security awareness from team members at work.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Gmail Phishing Scams You Need to Know About
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
