Phishing continues to be a big hazard in a world full of cyber threats and abusive individuals. We have been witnessing a rise in Remote Work and this aided by the Covid-19 Pandemic, has created ideal ground for creative schemes. The Google Doc Phishing Scam was such a scam in this scene; it was a precise and elaborate attack that left consumers exposed to a false kind of phishing. This blog goes into that scam’s complexities, shedding light on its strategies and offering advice on how to defend yourself against it.
Unraveling the Google Doc Phishing Scam
Let’s go back to see what happened. There were these people who had figured out a clever scheme to trick people. They were using Google Docs to create alerts to target thousands of Gmail Users. These attackers pretended to be Real Businesses and sent out push notifications on phones and emails to several Gmail users asking them to make their contributions on Google Docs. They would usually entice people by showing them profits and gains and big offers and deals. This temptation blinded people causing them to click on the fraudulent links contained in the alerts.
They were sent harmful links in these documents which they didn’t know led them to malicious websites when they clicked. The emails were also designed similarly. These emails written in bad English or sometimes even Russian told people that they had won prizes and that users were just some final steps away from winning. Sometimes they would tell people that some payments had been declined pushing them to check their credit cards. Despite several red flags, this caught some unaware people off-guard.
The Escalation of Social Engineering Tactics
These attacks increased after the pandemic ended and the world began to recover. People were being robbed of their money, and private life information and some were even being blackmailed. According to a 2021 study, there was a 270% growth from 2020. As we all know 2021 was the start of COVID and lockdowns had forced people to spend more time and home. This increased their online activity and exposed them to a higher chance of getting attacked. These attacks included emails, SMS, Voice messages and push notifications. All these were specifically designed to extract the personal information of those individuals.
Attackers had created replicas of some big websites like Amazon, and Microsoft and were asking people to visit these sites to resolve an issue. Individuals who were unaware of this malicious thinking logged into these fake websites using their real credentials and this allowed hackers to harvest their real credentials which they would later use to compromise their real accounts on those real websites.
Another study conducted in 2022 showed that there was another increase of 61% in phishing attacks. It has already surpassed 255 million attacks by 2022. Another similar scheme used by attackers is Social Engineering. In this attackers got close to individuals and posed to be their friends slowly gathering more and more information about them and then using that same information against them. Social engineering has emerged as a popular tool among cybercriminals.
What did we learn?
These attacks and all those individuals show that there is a lesson for all of us to learn here. Following are some major steps that should be taken to increase our protection against these attacks.
1. Push Notifications:
Every push notification that we receive on our devices should be dealt with with extreme caution. Read them carefully and make sure they are related to you. Stay away from clicking on anything that seems odd. If you discover anything, kindly notify Google of it.
2. No-Reply Addresses:
Whenever you receive an email that is from an unknown source you need to be very careful about it. Go through the sender’s email address as many times a scam can be caught just by looking at the email. Go through the entire email for any sort of irregularities such as bad vocabulary or spelling mistakes. Once identified please report it to appropriate authorities so others can learn about that too.
3. Clicking on Suspicious Links:
Whenever you receive a link from someone you should check it carefully to see if it would lead to the original website or is fake. Mostly suspicious links look funny with bogus names. Avoid clicking on such links and always avoid logging in to those links. This can greatly reduce the likelihood that you will be assaulted.
4. Prizes and Lotteries:
Often you may receive an email or an SMS saying that you have won a big competition and that there are just some final steps to be taken and you can get your huge prize. For many people, this is very enticing as they follow those steps in greed for that prize money and are eventually attacked. Always think to yourself before that how can someone win a prize they never entered in the first place and would they let them know through a proper manner than a shabby-looking email or an SMS? These are often red flags.
5. Bad Vocabulary:
Whenever you receive something always pay attention to its vocabulary. You may find several red flags from it and may be enough to tell you whether something is a scam or not.
How to safeguard yourself against these attacks
Following are some measures that should be taken in offices and communities to help safeguard people from such attacks.
1. Employee Education on Phishing Threats:
Conduct comprehensive phishing threat awareness across all levels of the organization. To tell people what an attack may look like and how to find the red flags. Another way is to utilize phishing simulation tools available online to train employees in recognizing scams, enabling them to navigate real-world scenarios.
2. Security and Phishing Awareness Training:
Have security awareness and phishing awareness training sessions and seminars to keep social engineering threats at the forefront of peoples’ minds. Such regular micro-learning sessions offer opportunities for people to learn about these and develop skills to detect such attacks in the future.
3. Internal Cybersecurity Ambassadors:
Select team members to act as cybersecurity ambassadors, responsible for monitoring employee phishing awareness. Train these ambassadors on the latest threats and leverage phishing micro-learning modules to extend training to other staff members.
4. Regular Communication:
Keep in touch with staff regularly, highlighting the need for phishing knowledge. Assist individuals in being attentive against developing cyber dangers by providing advice on safeguarding personal and professional settings.
5. Keep IT Systems Updated and Secure:
Ensure the organization’s network defenses are up to date by promptly applying patches and updates for software, applications, and operating systems to ensure you have the latest security updates installed. Another way we use in the tech world to further fortify our security is to combine regular software patching with robust malware protection and anti-spam software to minimize potential entry points for cyber threats.
Defenses for Employees
The following actions should be taken by organizations to aid with employee protection.
1. Verify Email Senders:
Verify the source of an email. All unknown senders should be checked and if something comes from an unknown source it should be deleted.
2. Avoid Clicking on Unverified Links:
Any links in emails from unverified sources should not be clicked and opened. Especially those who look weird.
3. Scrutinize Emails for Red Flags:
Carefully go through an email body and look for all the red flags that we mentioned above. This will assist you in determining whether something is authentic or artificially created to look real.
4. Stay Informed on Cyber Threats:
People should take part in security awareness sessions and seminars so that they can stay up to date with these sorts of scams. The Google Doc may be a thing of the past, but people will keep devising newer and newer ways to attack people and get their information. Organizations should also hold sessions where they teach people how to safeguard themselves from these attacks.
Online Phishing Stimulators
There are some phishing simulators online that all people should go through at least once so that can better understand what phishing looks like, how it works, its red flags, and how to safeguard themselves against it. Some good ones are Knowbe4 and Phish Insight.
Conclusion
We would like to end things by telling you that the Google Doc phishing scam serves as a reminder of how malicious people can be and we should always remain vigilant. Organizations and Governments should together develop strong defenses and cyber laws to prevent this from happening. They should also teach people to learn more about cyber security. We should always stay vigilant and up to date with such scams so nothing like that happens to us.