The Google email attack, and how to protect yourself from online scammers and identity theft.
Now it's Google with a big scam attack. You get an email. Google Docs. It looks like it's from a friend. You get in there and hit a link, and the fun begins. The phishing – that's with a ph – has speared you. Off goes access to your contact lists, your Google Drive. Maybe user names. Passwords. Your digital life. Everybody's on high alert now, but versions of this are happening every day. This hour On Point, the Google email attack, an how to protect yourself from online scams, plunder, identity theft. — Tom Ashbrook
Guests
Alina Selyukh, technology reporter for NPR News and All Tech Considered host. (@alinaselyukh)
Brian Fung, technology reporter for the Washington Post. (@b_fung)
Justin Cappos, assistant professor in systems and security at the New York University computer science and engineering department.
From Tom's Reading List
New York Times: Email Attack Hits Google: What to Do if You Clicked — "Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam. The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document."
The Wall Street Journal: Phishing Attack Hits Google Docs — "The attack involved malicious emails masquerading as a message from Google Docs, often sent from a known source. Recipients who clicked on the embedded link and then clicked yes on a follow-up link inadvertently gave the attackers access to their Google email messages and contact list, said Matt Tait, a cybersecurity expert based in the U.K. who researched the incident. That access was then used to send more malicious emails to addresses found in the victim's contact list, Mr. Tait said."
Washington Post:Why This Google Docs phishing attack is particularly sneaky — "What makes this attack so tricky to detect is that it takes advantage of Google's legitimate tool for sharing data with responsible third-party apps. Since the bogus invitation is being routed through Google's real system, nothing is misspelled, the icons look accurate, and it's hard to know something's gone wrong until it's too late."
Copyright 2021 NPR. To see more, visit https://www.npr.org.