Gmail users were hit with a new phishing scam
Cybercriminals are getting better at tricking people into handing over sensitive information and personal data.
The latest attempt saw scammers tricking customers using Google's hugely-popular email service into clicking on fake links, which would then allow criminals to steal their personal information.
Victims were targeted via an email to their Gmail account, which sometimes included an attachment or image – and might have been sent from a contact or company you'd recognise.
The latest phishing scam was so sophisticated that even experienced and tech-savvy Gmail users are falling for it, explained Mark Maunder, CEO of WordPress security plugin Wordfence.
When the fraudulent URL is clicked, it loads a webpage that looks terrifyingly similar to the Gmail login portal.
However the online login is actually a fake portal designed by hackers to steal your email address and password information – allowing giving them full access to your account.
Worse still, once you've entered your details into the fake login page – and allowed hackers access to your account – they can then use your email address to spread the virus even further by sending emails to all of your contacts.
Those who use the same email address and password combination across online services will also have inadvertently allowed hackers access to those services, too.
One in four Britons have been affected by an online hack during the past year, recent research by Norton by Symantec demonstrated.
It is important to enable two-factor authentication on your Gmail account
Millennials and frequent travellers are particularly popular targets for online criminals, it added.
Overall, cybercrime costs UK consumers around £1.8 billion a year, showing the huge potential risk to users across the country.
How To Avoid Phishing Scams Online
There are a number of steps you can take to try and avoid online phishing scams.
For example, it was possible to identify the latest Gmail scam thanks to the URL of the fake login page.
Make sure you are not caught out by double-checking the domain you are using to login has nothing before the hostname, in this case "accounts.google.com’", other than the usual "https://".
The latest scam used a clever technique dubbed Data URL.
That meant those who clicked the link in the email (which looked like a genuine Gmail web address) displayed a domain that was a world apart from what it should be.
Although the URL looks genuine, clicking on the address bar reveals a fake site
That’s Data URL allows cybercriminals to include a legitimate-looking web address in the domain name, which is then followed by a chunk of white space which hides the real, malicious link.
Make sure that the web address field in your web browser is displaying the green padlock symbol.
Even better still, you can enable two-factor authentication for your Gmail account – and other online accounts that support it.
This security extra means that should you get fooled by one of these online scams, the online hacker will still be unable to log into your account using just your email and password.
When you activate two-factor authentication on your Gmail account, you will need to enter your email and password as usual. Google will then send a new code to your phone via text, voice call, or our mobile app.
Two-factor authentication makes your account much stronger
Or, if you have a Security Key, you will need to insert that into your machine's USB port during the sign-in to authenticate that it is you.
Google said, "We advise people to be careful anytime you receive a message from a site asking for personal information.
"If you get this type of message, don’t provide the information requested without confirming that the site is legitimate.
"If possible, open the site in another window instead of clicking the link in your email. You can report suspicious messages directly to us.
"Google will never send unsolicited messages asking for your password or other personal information."
How to use (and master) Google's new privacy and security settings
Android users should 'give up, switch to Apple and buy an iPhone'
What To Do If You Have Clicked On The Scam
First things first, you should probably change the password associated with your Gmail account – and any other online account that uses the same email/password combination.
To do that, sign-in to the My Account page at Google.com.
In the Sign-in & Security section, select Signing in to Google > Password. Type your current password and your new password.
Select Change Password.
Always create a unique password for every one of your online accounts.
17 interesting facts about Google
Sun, September 27, 2015
Google officially celebrates its birthday today! Here's 17 cool facts about Google!
1 of 18
Originally known as BackRub, Google was founded by Larry Page and Sergey Brin in a friend's garage while they were Ph.D. students at Stanford University. It has since grown to become the world's biggest search engine.
For example, take the first letter of each word in your favourite song lyric, phrase or poem – and use those letters, which appear like a random jumble, as your password.
A password manager is another way to generate and securely store unique passwords with letters, symbols and numbers.
Google said, "We’re aware of this issue and continue to strengthen our defences against it.
"We help protect users from phishing attacks in a variety of ways, including: machine learning based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection."