Beware Of This Fiendishly Clever Phishing Scam

Scammers have devised a phishing campaign aimed at taking control of victims’ Gmail accounts.

Right now, they’re scamming Gmail users because of the email platform’s popularity and size but the example below can go for any platform in use.

Here’s how this Phish operates:

  1. A scammer gets a victim’s Gmail info, starts the password reset process and sends a text, impersonating Google, to the target asking them if they requested a password reset for their account.
  2. The user is asked to text back the word, “STOP” if he or she did not request the reset.
  3. When the target texts “STOP”, the victim is instructed to text the 6-digit numerical code they received from Google to confirm the Stop password reset instructions.
  4. When the victim complies, the attacker completes the password change and locks the target out of their own account.

As we all know, your email address is often the gateway to everything you do online. Think about it. When you sign up for a new service (social networks, shopping, etc.) you are asked for your email address which often-times becomes your user name―which is 50% of your login information. So, once your email is stolen, scammers have half of your credentials.

Combine your stolen email address with the fact that a great many individuals use weak passwords (i.e. 1234, password, Pa$$word, etc.―which are all listed in underground databases) and guessing the other half of a person’s login becomes easier, especially when combined with brute force dictionary attacks.

Here comes the coup de grâce:  users unwittingly assist in their own victimization by using the same login for multiple accounts. So, that same email/password combination allow attackers access to social networking, shopping and financial sites completing—the identity theft scam.

Additionally, many platforms will request verification via email, text or an authenticator (i.e. AuthAnvil, Google Authenticator, etc.). However, a social engineer will try to defeat these extra security layers by getting the user to reveal authentication codes. NEVER DO THAT.

The point of this post is not to call out Gmail or Google. It is to identify a way that scammers use to pull information out of victims to steal their data and/or money. Just because you have two-factor authentication (2FA) or your vendor uses additional security layers to protect you doesn’t mean that you’ll never be scammed―especially if you’re coerced into giving a scammer your authentication codes during an attack.

The bottom line: NEVER tell, text or email authorization codes to anyone. Google, your financial institution or social network doesn’t need those codes to serve you and won’t ask you to verify them. You either have the correct code and use it to complete an action―or you don’t. If you don’t, then the action cannot be completed. That’s why the scam was created in the first place―to get around this effective, additional security layer.

Phone calls or text messages asking you to verify your ID or approve/disapprove an action by retyping or verbally disclosing authentication codes are sure signs of a scam.

XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 300+ Petabytes of data with over 800 employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause.