A new phishing campaign is making the rounds, fooling tons of Google users into giving hackers access to their Gmail accounts.

Here’s how it works.

You get an email from someone you know who has sent you a Google Doc attachment. When you click the attachment, you go to a page that looks like a Google page that asks you to give permission to access the file using your Google login info. Boom. You’ve been compromised. To add a little insult to injury, the same scam is then sent to everyone in your own contacts list.

Now you, and any of your friends who were also duped into clicking on the link, have given your account information to hackers. They can read anything sent or received through your Gmail account and retrieve or reset passwords for all of your online accounts that are connected to your Gmail account, from Facebook to your bank.

The tactic isn’t a new one, but the kicker is the apparent authenticity of the false login page. One weakness that allows for identification, though, is that the primary recipient email address is hhhhhhhhhhhhhhhh@mailinator.com. If you miss that and happened to click on the attachment, you’re still fine as long as you don’t grant permissions. You can then report is at phishing to Gmail, delete the email and forget the close brush you had with propagating an internet scam and risking the loss of everything tied to your Gmail account.

Fortunately, Google quickly found out about the scam within about an hour, in which time about a million accounts were compromised. Google took measures to protect users, so you’re safe until the next scam hits. Still, this underscores why you and your employees need to be up to date on the latest in internet security.

Comments are closed.