‘Phish’-y Emails

January 20, 2017

Perhaps you’ve seen the notice floating around Facebook or on the news: a new phishing scam that mimics the appearance of Google. By tricking users into opening a fake Google Drive attachment in the email, the scam actually redirects them to a compromised Google Login form. So far, the tactic has been quite successful at siphoning a decent amount of login information.

How can you tell if you’re looking at the legitimate google login page? First and foremost, if your browser isn’t marking the page as ‘secure’ with a green lock or equivalent icon, chances are you aren’t actually looking at the legitimate login screen. Another item to look for is the beginning of the website URL in the address bar. Typically, it will start with “https://” – but if compromised similarly to the page in the scam, it might start with something like “data:text/html” instead.

Some versions of this scam actually add a bunch of spaces to the address to make the page look more legitimate. For instance, the part of the address that says “google” will be visible, but there may be a large number of spaces after it and before something more malicious, so that it won’t be automatically visible on-screen. In order to see this, you’d have to actually click the address bar and scroll all the way to the right end of the address.

So, how else can you remain safe?

For starters, be wary of attachments, even from trusted contacts. Notice the content of the email itself. If anything seems fishy, hesitate to open whatever document or links may be included in the email. If you get an attachment you weren’t expecting, then ask the sender before opening it. (Just remember to ask somewhere other than the same email, in case it actually is compromised.)

This particular phishing scam utilizes the visuals from emails that contain attachments shared in Google Drive. While this is part of why the tactic is effective and frightening, it also means there’s another way to check if an attachment is legitimate.

If you happen to get an email with an attachment from Google Drive, and you want to avoid clicking the attachment directly in the email, open a fresh window in your browser. Navigate to the actual Google Drive website (which is drive.google.com). Chances are, if you were already logged into the web Gmail application, you won’t be asked to sign in again.

In the left-hand sidebar, click “Shared With Me” as shown here. This will present a list of all files that have been shared via Google Drive with the account you are currently using. If you don’t see the attachment from the email, then it is likely a fake attachment. However if you do, opening it via Google Drive shouldn’t ask for login information, and instead should just open the attachment.

Fake login pages are a popular way of stealing usernames and passwords – and determining the veracity of the page you’re visiting isn’t always easy. But certain things, such as checking the entire URL, trying to access the same page from a page you know is secure, or scanning URLs with a tool like the one available at virustotal.com, can all be helpful in determining the legitimacy of the page you are visiting.

For more information on phishing and how to spot bad emails, check out:

Simple Steps to Avoid Being Phished

Avoiding Social Engineering and Phishing Attacks


Gary is a team member at Sephone, helping to design, develop and maintain websites.

Leave a Reply

Your email address will not be published. Required fields are marked *