Google phishing attack as it appeared in Outlook emails

Google Phishing Attack: Now What?

Nationwide, inboxes are being scammed with what looks like a very innocent email, from a known sender. Here's why you shouldn't click, and what to do if you did.

The email will appear to come from someone you know and invite you to open a Google Doc. If you click the link, you'll be asked to log in to Google and/or give access to your contact lists and Google Drive.

By Wednesday evening, Google had disabled the accounts they found to be responsible and are taking actions to prevent future attacks.

What should I do if I clicked?

Don't panic. You can reduce most collateral damage in a few steps:

Go through Google's security checkup at https://myaccount.google.com/secureaccount. You'll see your info, when your password was last changed, and which devices have logged on using your account. Here you'll be able to tell Google if something looks wrong.

Check your Account Permissions. If you see Google Docs or any other app or site you don't trust, remove it.

Turn on 2-Factor Authentication by going to https://myaccount.google.com/security, scrolling down to the Password & sign-in method section, and clicking 2-Step Verification if it's turned off.

Change your password. See below for our tips for creating a strong, yet easy-to-remember password.

How do I protect myself from attacks?

Whenever you get an attachment or link in an email, check the to, from, and CC/BCC fields for fishy looking addresses. In the case of this email, the sender appeared to be familiar, but the "to" address showed hhhhhhhhh... @ mailinator .com as one of the recipients, and your email address would have appeared as a BCC.

If you weren't expecting an attachment or link, don't click on it. Send a separate message to the sender asking what the attachment is about. If they confirm it's legitimate, you can open it.

Tips for a stronger password

Dictionary words, even when certain letters are replaced by numbers or symbols, are easily guessed by computer software. The best practices for creating strong passwords are coming up with something that means something to you (because a password you can't remember is useless), but something that a computer or human wouldn't be able to guess. Try the following tips—even better, combine them!—to make your new password stronger:

Use a different password for different sites and applications

Even if you just amend a few unique characters to a master password. For example, a Hanson fan might use "M*3bop" as her base, and then add the first three letters of the URL she signs onto. So her password for Netflix would be M*3bopNet, and her password for Amazon would be M*3bopAma.

String several words together—ones that aren't found in a common phrase or idiom. 

Randall Munroe, the genius behind xkcd.com, recommends choosing random common words, showing how "correcthorsebatterystaple" is much more difficult to guess than "Tr0b4dor&3". Create an image or story in your head to help you remember the words.

Avoid common passwords and patterns.

No, your online passwords shouldn't be 1234 or password. You should also not follow the most common patterns discovered by DARPA, the Defense Department's research agency. These include:
  • One uppercase, five lowercase and three digits (Example: Kitkat123)
  • One uppercase, six lowercase and two digits (Example: Mykitty12)
  • One uppercase, three lowercase and five digits (Example: Myka12345)

Make a quote or lyric anagram.

And then add symbols and capitalize certain letters. If you make a rule that you only capitalize vowels or verbs, then you'll more easily remember which letters are uppercase and which aren't.

So "So don't be afraid to let them show. Your true colors." becomes "sd'batlts.ytc" with punctuation—and when we replace "to" with "2", include a special character instead of the period, and capitalize every letter following a number or special character, you have "sd'Ba2Lts|Ytc"

Choose a personal phrase or word, and then shift your fingers in one direction.

So "SmIth" would become "AnUrg". This tip is best combined with the others, to ensure you have uppercase and lowercase letters, a number, and a special character.

We hope this article helps you to feel more confident—yet cautious—online. 

—The Esultants Team

Click to share this article on: Facebook | Twitter | LinkedIn | Pinterest
Need help navigating 21st-century media and how it relates to your small business?
Join our mailing list to receive our monthly guide on website success.