I’ve received a couple of troubling emails recently that made their way into my inbox. They were well-drafted attacks designed to convince me that my Gmail or YouTube account were about to be deleted unless I clicked a link right away.
Of course, words like “warning” or “instant” should always give you pause — criminals try to get you off your game by creating a false sense of urgency. I could see someone falling for this technique, so I’m calling it out.
One message read: “Your account is scheduled for termination. Activate now to stay connect. Google team.”
The bad grammar is a tipoff. Another is something you might not notice unless you look carefully at the “from” line. It says “Gooqle Setting,” with a “q” where a “g” should be.
Clever, those criminals. That’s probably part of the reason it wasn’t stopped by Google spam filters. Of course, clicking on the link doesn’t bring you to a Google website. So delete this one immediately.
Subtle pitch
Yesterday, I received a similar menacing email that was a little more elegant and subtle in its presentation. It warned of an upcoming terms and conditions privacy-related change at YouTube, and urged me to click to confirm my personal information.
The message read: “Over the past year, we have introduced new features and controls to help you make the most of your use of YouTube, and we listened to the people who have asked us to provide a better explanation of how we get the information and use it.”
But again, the would-be hacker here used unconvincing language: “Because of the latest updates ask many of our customers to confirm their information, and this is not something to worry about.”
Still, a privacy policy update could seem benign, and I could see a user clicking on this one. Don’t be that user.
Google responds
About five hours after the Gooqle email arrived in my box, Google actually forwarded the message adding a warning with a red band across the top that read, “Similar messages were used to steal people’s personal information. Unless you trust the sender, don’t click links or reply with personal information.”
An excellent step, but about five hours too late for some people, I’m betting.
I don’t know how widespread this problem is — I’ll try to find out. But I do know that techniques like this pop up, and persist, only because they work.
So today’s warning: Be very, very skeptical of emails that seek to verify your account, particularly if you didn’t initiate the dialog. Even if you did — say, you requested a new password from a site — always be careful of clicking on a link in an email.
Always hover over the link first and see where it’s taking you. And always glance up at that address bar and see where you’ve landed. That’s not a fool-proof technique, but it’ll protect you from a lot of similar scams.
This article originally appeared on ThirdCertainty.com and was written by Bob Sullivan
