You get a link to a Google Doc. You click it, then sign in to your Google account. Seems safe enough, right?
Wrong, apparently. A sophisticated phishing setup is teaching the world yet another lesson about online security.
What is phishing, and how do scammers use it? Basically, phishing means getting users to voluntarily type their username and password, often by using a false login page. Such pages are usually easy to spot for net-savvy users, but this recent example of phishing is noteworthy for how realistic the login page looked. It could have fooled just about anyone, and had a Google URL.
Here’s how it worked: victims got emails with the subject line “Documents.” The email itself contained what looked to be a link to the a Google Doc – complete with an actual “Google.com” domain – and pointed users to what looks like a legitimate Google login screen.
It’s not uncommon for users to need to sign in before seeing a Google Doc, so many dutifully typed their passwords. They were re-directed to an actual Google Doc, but their username and password weren’t used by Google: criminals recorded them instead.
Google claims all such pages have since been taken down, but it’s still worth being vigilant. Don’t click links to Google Docs if you’re not sure of the sender. If you must, check that you’re logged into Google Docs before clicking through the link.
That will only protect you from this one incident, though, which brings us to the scary thing about this: it’s becoming harder and harder to advise people about security. We’ve previously outlined four ways to avoid phishing scams, and it’s not altogether clear any of them would have helped in this case.
Google advises you change your password if you suspect you’re a victim. While you’re at it, we recommend you also lock down your accounts with two-factor authentication. With that turned on, getting your password won’t be enough for criminals to access your account – they’ll also need your phone.