Identifying and Eliminating Deceptive Email Messages
In recent times, a series of phishing emails claiming to be from Google have been circulating, preying on unsuspecting users. These scams attempt to trick recipients into granting access to their Google accounts, often by exploiting a sense of urgency and fear.
One such scam claimed that the recipient had been served a 'subpoena' to grant Google permission to 'produce a copy of your Google account content.' However, it's essential to remember that Google would never request such sensitive information via email.
To help identify these phishing attacks, it's crucial to be aware of the context. Genuine Google alerts are triggered by specific account-related events such as a login from a new device, unusual login locations, password changes, or security setting modifications. If you receive a "security alert" but haven't experienced any of these triggers, the alert may be suspicious.
Moreover, be wary of the delivery method. Real Google alerts come through official Google channels such as your registered email or Google app notifications, never via unsolicited phone calls or third-party phone numbers.
Phishing emails may contain fraudulent phone numbers or link URLs that impersonate Google but lead to credential theft if clicked or called. Additionally, Gmail’s AI summarization tool, Gemini, has been exploited by attackers inserting hidden commands that prompt the AI to generate fake but seemingly legitimate Google security alerts within email summaries.
To protect yourself, do not trust security alerts at face value. Always verify alerts by logging into your Google account directly via a trusted browser or Google app rather than clicking links or calling numbers from emails or summaries. It's also advisable to avoid using Gmail’s "summarize email" feature until vulnerabilities are resolved.
Enabling two-factor authentication (2FA) adds an extra layer of security to your account, making unauthorized access more difficult. Regularly review your Google account activity and security settings to check for unfamiliar devices, locations, or changes to recovery options.
Education and awareness are key in preventing these attacks. Chums, a cybersecurity company, has launched a campaign to raise awareness about evolving scam tactics and new technologies scammers exploit. They recommend verifying with the company, looking for spelling errors, and double-checking the sender.
If you are unsure about a message or email that asks you to do something, the best course of action is to double-check by contacting the person or business directly. If you believe you are the target or victim of fraud, report the scam to the authorities. Suspicious emails can be forwarded to [email protected], and suspicious text messages can be reported to 7726.
In light of the rise of AI and deepfakes, it's more important than ever to stay vigilant and protect your online accounts. By following these tips and best practices, you can help defend against these sophisticated phishing campaigns targeting Google users.
[1] Keoghs, Case Report, 2022 [2] Chums, Phishing Awareness Campaign, 2022 [3] National Cyber Security Centre (NCSC), Phishing Statistics, 2022
- To safeguard personal information and accounts, it's essential to be alert during cybersecurity events, and accurately identify phishing attacks by verifying Google alerts directly via the Google account, checking for account-related triggers, and verifying the delivery method to avoid clicking on fraudulent links or responding to unsolicited phone calls.
- In the realm of education-and-self-development, onboarding cybersecurity awareness is crucial in the fight against phishing campaigns. Cybersecurity companies like Chums are launching initiatives to inform the public about updated scam tactics and technologies that scammers use to deceive innocent users, emphasizing the importance of double-checking messages, verifying sending addresses, and contacting the supposed sender directly when in doubt.
