By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.
Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.
When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.
Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.
The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.
Hovering over the fake attachment in these phishing emails shows what looks sort of like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.
This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.