Last week, an unusually sophisticated phishing campaign appeared to target Google's 1 billion+ Gmail users worldwide, seeking to gain control of their entire email histories.
The worm, which arrived in users' inboxes posing as an email from a trusted contact, asked users to click on an attached "Google Docs" file. Clicking on the link took users to a real Google security page, where users were asked to give permission for the fake app, posing as Google Docs.
Once the user entered their details, the worm sent itself out to all of the affected users' contacts, spreading rapidly with every new victim.
Google said it has "disabled" the malicious accounts and that the vulnerability was exposed for only about one hour. During that time, a spokesperson reported that "fewer than 0.1 percent of Gmail users" were affected, a percentage which would still be about 1 million users.
While the scam appeared as an authentic Google Doc email, one of the biggest giveaways was the sender address which appeared as firstname.lastname@example.org.
In order to ensure you don't fall victim to the next phishing scam, here's everything you need to know about phishing and how you can avoid it:
Phishing is a technique used to trick you into giving out personal information such as your bank account details, passwords and credit card information. While phishing can come in the form of phone calls and website downloads, the most common form of phishing attempts occur via email, where scammers pose as trusted companies, so that you’re tricked into disclosing personal information.
Phishing emails can look authentic, featuring corporate logos and fonts similar to legitimate emails. Some common examples of phishing include the scammer saying that your bank is verifying customer records due to a technical error. Or, they may ask you to fill out a customer survey and offer a prize for participating.
Alternatively, the scammer may alert you to 'unauthorised or suspicious activity on your account'. You might be told that a large purchase has been made overseas and asked if you authorised the payment. If you reply that you didn't, the scammer will ask you to confirm your credit card or bank details so the 'bank' can investigate.
Fraudsters often include threats which will try and get you to react immediately. Emails threatening to close your account or stating that urgent action is required, are often sent by scammers who want you to think your information is at risk.
Cyber criminals are not known for their grammar and spelling. Most professional companies have editors who will thoroughly check mass emails for any spelling and grammar errors before being sent. If you receive an email with spelling and grammar errors, it's likely you've received a phishing email. In addition to spelling and grammar mistakes, look at the general layout of the email. As you can see from the phishing email from 'Australian Government Department of Human Services' below, some phishing scams appear unprofessional in both their layout and wording.
If you’ve opted in to receive emails from banks, online shopping companies and other businesses, chances are they will have your name in their database and address emails with a personal greeting. Phishing emails are usually sent out on mass and therefore will most likely have a generic greeting such as “Dear member”, “Dear customer” or "Hi There"
Sometimes phishing emails will look professional until you look at the sender’s address. If the sender address does not match the corporation that emailed you, it is likely to be a scam.
While spelling errors and the tone of the email are the easiest way to spot a phishing email, some scammers have managed to make messages look authentic by using legitimate-looking logos and font. As with the Google example above, one of best ways to spot a fake is by looking at the sender email address. If the address does not match up with the company that allegedly sent the email, delete it immediately.
Links on a phishing emails can look very similar to those of a company’s legitimate website. If you are unsure of the legitimacy of a link, don’t click on it. Instead, hover your mouse over the URL and see if the URL matches the real web address (which will come up in a yellow box under the link), if they don’t match, its likely to be a malicious email.
While it seems obvious, receiving an email asking for urgent action can cause unnecessary stress and immediate response. If you receive an email from a company or service provider that you are not affiliated with, delete the email immediately.
Over the past week alone, the team at Synapse have received a number of phishing emails. If you receive any of the following emails, do not click on any links and delete them immediately:
Taking the above tips into account, you should be able to confidently differentiate a legitimate email from one attempting to steal your personal data. If you're still unsure about a particular email, feel free to give the team at Synapse a call on 1300 903 405.