Beware of fake Google sign-in scam

Posted on by josh

TL’DR: A link contained in a popular email scam posing as a fake Google sign-in page could result in your account being compromised.  If you become a victim of such a scam, change your passwords.  Use secure passwords as a general security practice.  Enable 2-Factor authentication wherever possible.  Check your Google Activity Dashboard regularly.

The Scam

There is a common scam E-mail going around that ultimately will trick you into providing your email username and password. It will usually come from someone who has already been hijacked, so it will appear to be legitimate, but it may come from a random address as well. The email will usually have a subject like “Document” or “Invoice” and the body will say that they are sending you a document via Google Docs with a link that will take you to the document.  Clicking the link will take you to a login page that looks identical to a Google sign in page.  There is practically no way to tell the difference. When you enter your log in info and click sign in your credentials are sent to the hacker, giving full access to your account and you are then directed to a Google Doc which prevents you from realizing anything suspicious has happened. With your credentials, they can now use your account to send emails as yourself, steal your contacts, view your documents or other data you may have in Google Drive, access your Google Wallet account (used for payments on the Play Store and more), etc.

This type of scam not only affects Google users.  The same concept could be used for any online service.  And if you use the same password for everything, then other accounts could be compromised as well.

signin-compare

Identifying the scam

One thing to remember that may help you identify this scam is that if you are already signed into Google, you will usually not be presented with an empty sign in page like that. Instead you would get a page with your email already displayed on the page (not in a text box) along with your profile picture (if you have one).

The URL can sometimes be manipulated to appear legitimate, but most of the time it can be very useful in identifying a scam like this.  On a legitimate Google Sign-in page, the URL at the top of the page will look like this:

Legitimate Google sign-in URL

Note the “https” which indicates this is a secure page.  Also note the green padlock.  This is important as it means that the URL of the page matches the security certificate and the security certificate is in good standing.  A forged login page will usually be an unsecured “http” connection without a padlock.  And a page with an invalid certificate will usually be very easy to identify since all browsers will initially block the page from loading.  If the URL is not as pictured above, then it is not a legitimate login page for Google.

The Fix

In case you do end up falling victim to a scam such as this or if you ever feel that your password may have been compromised, the very first thing you need to do is change your password.  In addition to changing your email password, you also need to consider what other accounts may have been compromised.  If you use the same password on multiple sites, then you should change all of them.  Also consider what information may have been made available to someone while they had access to your account.  Do you have documents with personal information in them such as credit cards stored in plain text.  If so, those should be replaced.  Do you have a spreadsheet with all of your accounts and passwords?  If so, they should all be changed immediately.

You should also have 2-factor authentication enabled on your account to prevent these kinds of attacks.  I’ll provide more information about this in the following section, “Secure yourself”.

Secure yourself

The best way to really help protect yourself from these kinds of scams is to enable 2-Factor Authentication (also known as 2-step verification, Multi-factor authentication, and other similar names).  2FA adds an extra layer of security to the sign-in process by requiring an extra code that comes from a pre-configured source.  For example, you can setup 2FA so that a verification code is sent via text to your cell phone number.  When signing in from an unrecognized device, a code will be sent and must be entered before the sign-in can be completed.  With 2FA, a username and password alone is not enough to login to your account.  You can enable 2FA by going to https://myaccount.google.com.  Then click on “Sign-in & Security”.  Scroll down and look for “2-step verification” on the right hand side of the page.

You can setup multiple forms of 2FA.  For example, I primarily use the Google Authenticator app on my phone, but I also have configured codes via text to my cell phone as a backup.  And as an even last resort backup, I’ve printed out 10 backup codes that can be used if ever I lose access to my other forms of verification (ie. lose my phone) and I keep these in my wallet just in case I ever need them.  Each backup code can be used 1 time only and can be revoked or replaced anytime.

Most online services now offer some form of 2FA.  I highly recommend that you enable this wherever possible.

In addition to enabling 2FA, it is always a good idea to use a good secure password.  Depending on who you talk to, you will get various answers as to what makes a good password.  Most sites now have at least basic requirements that your password must meet and some will even rate your password and require at least a medium strength password.  I recommend using all of the character types in your password: upper case, lower case, numbers, special characters (ie. !, $, *, ^, etc.).  It is also good practice to not use dictionary words.  This includes any word that may be found in an actual dictionary, but also names.  If you do prefer to use words, then use the practice of “leetspeak”.  That is to swap letters for numbers.  For example you could use a 3 in place of an E, or a $ in place of an S.  Personally, I use Roboform (http://www.roboform.com) to generate and store my passwords.  I use a different password for everything and most of them are created using Roboform’s password generator.  It is a customizable on-the-fly password generator for creating completely random passwords using any desired combination of characters and a specified length.  Obviously, no matter how good your password is, in a scam like this your password would be compromised.  This is just my recommendation for good security practice.

Another good practice with Google accounts is to check your Google Activity Dashboard regularly.  Google logs every sign-in to your account and also provides an overview of all the data you have in Google.  The activity dashboard shows all of this in a single place.  If you notice anything suspicious, you should check it out and take action.  On the dashboard page you can also schedule monthly reminders to visit the dashboard.  Visit the Google Activity Dashboard here: https://www.google.com/settings/dashboard

Another great security feature offered by Google is the Google Security Check-Up.  Visit https://myaccounts.google.com and click on Security Checkup.  This will walk you through various checks to ensure your account remains secure.  I recommend going through this once every couple of months.  The checkup will verify your phone number and backup email address, display recent security changes to your account, display all devices currently connected to your account, display third party online applications that are connected to your account, display any app passwords (only if 2FA is enabled), and display your 2FA status.  At any point, you can report suspicious activity and Google will walk you through the recommend action such as changing your password or updating out-of-date information.

Leave a Reply