Google Drive Phishing Scam
You can usually tell a legitimate Google notification from a phishing scam by reading the imbedded URL’s domain name—a message that redirects you to a non-Google address is sure to be a scam. However, a sophisticated phisher has come up with a method of stealing Google login information by using the company’s own servers against it.
Security firm, Symantec, discovered the phishing attempt and reported the incident on its blog. The new scam comes in an email with the subject line “Documents” and encourages you to click on an included link to check out an important message on Google Drive.
The link leads to a login page hosted on a bona fide Google website URL, complete with Secure Sockets Layer (SSL) authentication making the page seem even more legitimate. The login prompt is identical to that of a legitimate Google site, inviting you to sign in for “One account. All of Google.” Those who log in get redirected to an actual Google Docs document making the whole process seem legitimate.
Of course, the document isn’t the point; the point is that the phishers now have access to your Google account credentials. This gives them access to Google Drive documents, private email, and—perhaps most alarming—payment information for Google Play.
The scam works because the fake document is actually hosted on Google Drive. Combined with the convincing login page, this scam could theoretically fool the tech savvy as well as the uninformed.
Still, cautious people would spot a few red flags in this otherwise clever scam. First of all, the email itself does not come from an official Google email address, even if its preferred display name indicates otherwise. Clicking on links embedded in emails is also generally a bad practice, although in this case, even copying and pasting it would still bring you to a “verified” Google page.
If you get an email message purporting to come from a big organization such as Google, it’s generally a good idea to check the content of the email against the company’s official blog or Twitter feed. Always better safe than sorry.