IT Security Tip #20: The Gmail Scam That Surprised Me Too!
People are so very clever! Criminals tend to be people, so by default, criminals tend also to be clever! Here’s a scam that you may not have heard of, but you’re very vulnerable to it. This may help you avoid having your Gmail account stolen (this applies to any other account that uses a “2 factor authentication” security process as well).
First, what is 2 Factor Authentication (aka: “2FA”)? 2FA is a method of helping to better secure a digital resource and it is based on “something you have, and something you know”. Someone can steal your password, but if they don’t physically have the thing to be used with the password, no entry for them. You’ve seen, and maybe even used a key-fob from a bank that has a long number that changes every 30 seconds or so…when you need to login to the bank website, you enter your credentials and the current number on the key fob. This is a form of 2 Factor Authentication.
Now back to GMail. If you put in your cell number at Google as part of your account, Google will use it to send a text to you which includes a random number to verify that some action on the GMail account (like a password reset) is authorized by you. Because they assume only YOU have your mobile phone, its a reasonably safe and secure process. Unless someone can trick you into sending that code to them! This is the basis for the Gmail Scam!
Here’s how it works:
1. The thief has your phone number and email address (both easily findable on the internet) and goes to Google and clicks “forgot password”.
2. Google sends your phone a verification code.
3. Thief ALSO sends your phone a text pretending to be Google. They say something like: “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop the unauthorized activity.”.
4. You send the password reset authorization code to the thief.
5. The thief takes over your Gmail account and can use it to be “you” in any other web service that uses your Gmail account as the login (they can reset all those passwords too, since it will come to what used to be your GMail account!)