4 Dec 2019 by Mike Weaver
Inspire: Winning Hearts and Minds
Successful change management requires inspirational leadership. Here’s how to keep your team on track.
A recent Google Phishing scam hit headlines after a number of Gmail users had their accounts compromised by a worryingly sophisticated email scam. Users were tricked into clicking an email that took the user to a real Google account selection screen, and after selecting their account, a “Google Docs” window would appear, requesting permission to read, write and access emails.
By granting “Google Docs” permission, the document was revealed to be published by a random Gmail account, and the holder of the account would now have access to the affected account. What they thought was “Google Docs” was in fact a malicious third-party web app, and scammers now had access to user emails, and could send more scam emails from the victim’s account.
The most worrying aspect of this phishing scam was that the scam worked within the existing Google login system, it bypassed the two-factor authentication and was only noticeable as fake after clicking the link. The scam took advantage of the fact that fake applications named “Google Docs” can be created, and since the scam didn’t require victims to type in their passwords, the usual anti-phishing measures didn’t block it.
The scam exploited Open Authorisation (OAuth). OAuth notifies a resource provider that the resource owner grants third-party access to their information. An example of this would be Facebook (resource provider) being notified that you (resource owner) are allowing a third-party (a Facebook application) to access your information (your friend list). There are a multitude of online services that use OAuth, and it’s impossible to vet all the third-party applications that use it.
Fortunately, the scam was detected and dealt with quickly by Google within an hour. A company statement assured users of the following:
The scam ultimately affected around 0.1% of Gmail users, which equates to about one million users out of Gmail’s one billion active users.
Phishing scams of this scale are relatively rare, and therefore make headline news. However, phishing attacks are all too common and it’s worth taking preventative measures to ensure that your account isn’t compromised.
How to Protect Yourself from a Phishing Scam
Phishing emails are typically designed to fool the victim into giving away their personal information, or installing malicious software. Luckily, there are a few easy ways to spot a phishing scam:
This list is by no means exhaustive—phishing scams have become increasingly convincing, and scammers are always evolving new ways to hit unsuspecting users. Email phishing is the number one delivery vehicle for malware, and in 2015, 85% of organisations were victims of phishing attacks and 30% of phishing emails were opened! Having the intuition to spot scams is an excellent way to protect yourself and others from losing personal information and other sensitive data.
But regardless of how vigilant you might be when inspecting your emails, mistakes do happen and the most convincing scams often fool even the savviest of tech users. Our next post will cover the next steps should your system fall prey to a phishing scam, with tips on how to locate the affected account, and investigate what data has been accessed.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now