Why do phishing attacks work so well? I don’t think cybercriminals are smarter than the average end user, but they are awfully good at staying one step ahead of us. Just when we think we are on to all of their tricks, they come up with a new one, even more sneaky and devious and harder to detect than the last.
A new phishing attack is targeting Gmail users and, according to a number of experts, this one is even fooling more savvy users. As Robert Capps, VP of Business Development for NuData Security, explained in an email comment, the cybercriminals are hacking inboxes and then targeting users with subject lines and file names of attachments previously sent, which appear to be PDFs. Actually, the attachments are images that, when clicked, will send victims to a fake Google login page. Then, International Business Times stated:
The user's Gmail account becomes compromised once they enter their information. After doing so, the attacker rifles through the victim's sent messages folder so that they can browse correspondence they have sent to their contacts, and pass on the scam using familiar subject lines and attachments.
A reason this phishing scam is hard to detect is that it doesn’t set off any warning signs or alert the user that the site is unsecure. Once you sign in through the phony page, the scammers have access to your email and Google account. According to the IBT article, this phishing attack is spreading quickly because it is able to access the files inside your account and make the email look totally legitimate.
We should expect more phishing attacks like this, or at least increasingly sophisticated and more difficult to detect. As Jeff Hill, director, Product Management with Prevalent, said to me in an email statement, our reliance on email communication, the sheer volume of it, and the frenetic pace of life combine to create a superbly fertile environment for cyber attackers to exploit.
Yet, as sophisticated as the attack itself is, the defense is very easy. Google offers multi-factor authentication. If MFA is set up, the hacker will need the additional login methods in order to access the accounts. However, you can’t ever let your guard down, as Capps told me:
It’s a sad reality that users must maintain their vigilance online by assuming we’re all working and playing in a hostile environment. The tools exist that can make these phishing attacks pointless by devaluing information that crooks are going after. It’s going to take a shift in thinking and identity verification.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba