Phishing Scams: Don’t Take the Bait


Phishing (verb)
To try to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization but contains a link to a fake website that replicates the real one.

Most savvy internet users today are aware of your standard phishing schemes and aren’t likely to be taken in by a Nigerian prince offering millions or a British lawyer giving up a cut of an unclaimed inheritance, but recent events proved that we’re still not immune to modern phishing tactics.

On May 3rd an email with a link to Google Docs started making its rounds in Gmail inboxes across the country. The messages usually came from a trusted (or at least recognized) source and included a link to what appeared to be a legitimate login screen for Google Docs. But once a recipient clicked on the link they actually gave scammers access to their email. They also opened up their account to, unwittingly, resend the message to anyone they’d ever emailed which resulted in rapid spreading of the phishing scam.

Google was quick to take action and resolve the situation, releasing the following statement:
We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.*

Because of the seemingly official nature of the emails, it’s understandable how people fell victim to the attack. For many of us, we send and receive documents daily and frequently use sharing services like Google Docs to make collaboration easier. But how do we protect ourselves against phishing scams or viruses that initially appear legitimate? We’ve got a few suggestions.

  • Never open attachments from someone you don’t know. This should go without saying, but it is the first rule of protecting yourself from potential fraud. If you’re not familiar with the sender, don’t open the file.
  • If a contact sends you an unexpected document or link, before opening, follow up with that person to confirm that it’s legitimate. It doesn’t take long to send an email or make a call to confirm that the original sender intended for you to receive and open a file, and it will help protect your computer and confidential information from hackers.
  • Don’t buy into unsolicited services without vetting them first. If you receive an email from offering up scary statistics about your website’s SEO position and promising to resolve any issues you might have for a monthly fee, disregard the email. Most of the time these are phishing messages from individuals or unreliable businesses that may either hijack your website or charge you hundreds of dollars each month and hold your site hostage, making it nearly impossible to cancel the service. Be wary about doing business with anyone who is using a free email service for their business unless you know the company is legitimate.

If you do happen to fall victim to a scam like last week’s Google Docs scheme, there are a few precautions you should take right away.  First, go in and change any passwords associated with your account. And if you’ve used that password for other accounts, especially ones associated with that email address, change those as well. (We highly recommend never reusing passwords across multiple accounts for this very reason.) Also, if you’re using Gmail, set up two-factor authentication which will protect your information even if your password is stolen.  Two-factor authentication requires you to enter a second code, usually sent by Google via text message to the account holder’s cell phone, if you want to access a Google account from a new machine. You can sign up for two-factor authentication here.

Finally, be sure to report the phishing scheme to your email provider if you do click on anything suspect so they can take steps to not only protect your account, but other accounts as well. For Gmail users, you can report phishing scams here.

As much as we wish such precautions weren’t necessary, we want to make sure you’re informed and protected against any potential threats to your confidential information. Always remember, when in doubt, err on the side of caution, double check sources before you open attachments or links and use strong, secure passwords to protect yourself and your colleagues.