This week we learned of a new Gmail phishing attack that is sophisticated, ingenious and is going to compromise a lot of Gmail accounts. Read the Forbes story This Gmail Phishing Attack Is Fooling Even Savvy Users and then share either this blog post or that story with those you know who might be using GMail. (This would be great for your law firm to share via social media.)
As I noted, this one is very impressive. When they compromise a GMail account they instantly raid the account and then set up new phishing attacks coming from the compromised user’s account to people he/she has in their Contacts or Inbox. Since they have access to everything in your Gmail, they include a relevant subject line from an actual sent email to them as the subject line on the phishing email. Devilishly clever. Someone you have corresponded with gets an email from you with a subject line of a recent email discussion between you. The recipient understandably is more likely to click on the attachment and then enter the requested information.
You can read in Forbes about the clever trick they use to make the login appear legitimate by loading “a full web page worth of code into the browser’s address bar.”
I get these phishing emails all the time. Just yesterday members of an American Bar Association group I am a part of received an email with a “contract” from the ABA. The attachment appeared to be a normal PDF attachment, but luckily, as you can see below, the email was not that persuasive. ABA staff followed up quickly with a warning.
This story is appearing in the media. But I wanted to make sure you learned the main lesson from this. This one was too good. You can no longer be certain you won’t fall for one of these scams.
This is the strongest case you will find for using 2 factor authentication. If you have it set up on Gmail, this exploit accomplishes nothing because the bad guys don’t have your phone or fingerprint. And when you next regularly change your password, they will no longer have your password either. If you don’t have 2 factor authentication enabled, then they have access to your entire Google account, including Gmail (with perhaps receipts from your online shopping,) Google Wallet, documents you have stored in Google Drive, Google Calendar entries, photos in Google Photos and your YouTube account. What risk this entails to you depends on how you much you use Gmail or Google services.