The theft of hundreds of Gmail account passwords last week by Chinese hackers from Jinan city in Shandong province left many of us feeling vulnerable. But there are ways in which to avoid becoming the next victim of a phishing scam.
The official Google blog illustrates how phishing scams work. One post warns against clicking on suspicious links in e-mails:
Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online.
If you should accidentally click on such a link, you may be redirected to a log-in page. The security blog, Contagio provides an example of the kind of login page that appears as part of the phishing scam.
The distinction between “real” and “fake” log-in pages is actually quite clear. Legitimate sites indicate which country the links belong to and the year in which the text first appeared.
Up until this point, the user is safe. But once the user enters his information in the fake log-in page, it is shared with the hackers who can then set up forwarding accounts in the hacked account to further spread the scam. Further, all mail received by that account is sent to a separate inbox set up by the hackers.
The official Google blog recommends obtaining a verification code set up via your mobile phone, so that you know when you are entering the “real” Google login page.
Also, Google encourages users to check under the “Forwarding and POP/IMAP” option in their e-mail accounts. If an unknown email address is spotted, then the account has been hacked.