The Better Business Bureau recently published an article about a phishing scam in which victims receive an email claiming someone has shared an online photo album with them. When the victim clicks the link, they are taken to a site that attempts to steal their Google username (i.e. Gmail address) and password.
One paragraph in the article ends with this: “Con artists can now access your email account as well as any other accounts that use the same login information.” And that is true. The thieves may very well just pick a bunch of banking and social websites and attempt to access accounts using your Gmail address and password, in hopes that you have reused the password across many sites. But what if you’ve already followed the standard advice to not reuse passwords for different accounts? Does that contain the damage to your Google account?
Unfortunately, no. Have you ever forgotten a password to an account? How does that play out?
Usually, you click the “forgot password?” link, type in your email address, then wait for a message containing a link to reset your password. When you click that link, it takes you to a website where you can create a new password.
And this is exactly what could happen if you fall for a phishing email such as the above example and reveal your Google username and password. The thief can access your account and search your inbox or trash folder for emails from financial institutions or creditors. Using this information, they can visit those companies’ websites, request a password reset, intercept the message that contains the link, then access your financial accounts. They will attempt to change the passwords while they’re at it, to lock you out.
Two-factor authentication can help a little. But a lot of online accounts use the primary email address for verification by sending a “was this you?” message if changes are made to an account. If you’re not watching the email that was compromised, the thief can simply click the link in the automatic response to “confirm” that the access is authorized. You should definitely turn on two-factor authentication for every single site that offers it, but your best bet is to not fall for phishing attacks in the first place. If you receive an email claiming someone shared a photo album with you, contact that person directly (preferably not by replying to the email) to verify, especially if something about the message seems “off,” or it appears to come from someone who has no reason to be sharing photo album with you.