Don't Fall for This Google Drive Phishing Scam
A sophisticated phisher has come up with a method of stealing Google login information by using the company's own servers against it.
Usually, you can tell a legitimate Google notification from a phishing scam by reading the URL's domain name — a message that redirects you to a non-Google address is sure to be a scam. However, a sophisticated phisher has come up with a method of stealing Google login information by using the company's own servers against it.
Sunnyvale, Calif.-based security firm Symantec discovered the phishing attempt and reported the incident on its blog. The scam comes in an email titled "Documents," and encourages users to click on an included link to check out an important message on Google Drive.
MORE: 13 Security and Privacy Tips for the Truly Paranoid
This link leads to a login page hosted on a bona fide Google URL, complete with secure sockets layer (SSL) authentication. The login prompt is identical to that of a real Google site, inviting users to sign in for "One account. All of Google." Those who log in get access to a Google Drive document which says nothing of great import.
Of course, the document isn't the point; the point is that the phishers now have access to a user's Google account. This gives them access to Google Drive documents, private email and, perhaps most damning, payment information for Google Play.
The trick works because the lure document is actually hosted on Google Drive. Combined with the convincing login page, this trick could theoretically fool the tech-savvy as well as the uninformed.
Still, cautious users would still spot a few red flags in this otherwise-clever scam. First of all, the email itself does not come from an official Google email address, even if its preferred display name indicates otherwise. Clicking on links embedded in emails is also generally a bad practice, although in this case, even copying and pasting it would still bring a user to a "verified" Google page.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
If you get an email message purporting to come from a big organization such as Google, it's generally a good idea to check the content of the email against the company's official blog or Twitter feed. A company will rarely institute policy changes without informing its users on a grand scale.
Don't feel too bad if you got taken in by this one, but do change your password as soon as possible, and consider implementing two-step authentication for your Google account.
Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.
Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.