Ever since the adoption of remote working and collaboration apps rose during the Covid-19 pandemic, cyber criminals have had ample time to discover new ways to reach users.
For instance, in 2020, hackers began targeting hundreds of thousands of Google users with fake Google Drive notifications and emails to try and trick them into visiting malicious websites.
At the time, this type of attack was a new form of a phishing scam, where a fraudster attempts to mislead a victim into clicking on a malicious link and giving up personal information or downloading malware.
While the world is beginning to emerge from the pandemic, the use of phishing attacks continues to grow, with research revealing more than 255 million attacks during 2022, a 61% increase from 2021.
As phishing attacks grow more common and complex, phishing awareness has become a necessity for avoiding security incidents. This article will reflect on the Google Drive scam and look at how security leaders can address similar scams today.
The Google Drive Scam: Here's What Happened
When the scam first emerged two years ago, hackers used a Google Drive phishing scam to send push notifications and emails to thousands of Gmail users. The notifications invited the recipient to collaborate on a Google doc.
Users who clicked on the push notifications were taken to a document containing a large link to a malicious website, and the emails themselves also featured malicious links.
The messages were written in broken English and Russian, with some claiming the recipient had won a prize, whereas others prompted recipients to review their financial transactions.
Although this scam was a long time ago, the technique remains popular enough that Google added a warning banner to highlight the dangers of opening potentially malicious files to help users more easily identify malicious use of Google Drive.
What's Happened Since: The State of Social Engineering
Unfortunately, since this Google Drive scam, social engineering attempts have only become more common, with 90% of data breaches having a social engineering component. This means email, SMS, voice messages, and push notifications are all ways attackers will try to target and manipulate users into giving up personal information.
More recently, a "Google Drive request approval" spam which Google has acknowleged as a "known issue".
The popularity of social engineering among threat actors means that users must be cautious of clicking on unusual links no matter where they’re located.
In general, cybercriminals will create a website that mimics the one of a popular provider like Microsoft and then attempt to drive users to it by getting them to click on links to visit the site.
Users who click on the site are tricked into logging in with a fake online form so that the hacker can harvest their login credentials and take over their account on the legitimate site.
These scams are often difficult to detect as the perpetrators will go out of their way to imitate popular brands. However, with the right level of security awareness and consistent training, users can still spot them effectively.
5 Lessons to Learn from the Google Drive Scam
The Google Drive scam offers some key learning opportunities for enterprises:
Hackers can send push notifications
Fraudsters can weaponize push notifications just as quickly as they can email and SMS messages. This means it's crucial to be cautious of opening unusual push notifications like you would unsolicited email or SMS messages.
Be wary of "official" no-reply addresses
In these scams, hackers used a no-reply Google address to gain the victim's trust. You can catch these types of scam emails by continuing to scrutinize emails for discrepancies such as spelling mistakes and unusual links.
Scam email addresses include:
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
Don't click on suspicious links
Regardless of whether it's a push notification, email, or SMS message, never click on links from unknown senders. This will prevent you from being misled to a malicious site.
Be wary of prize offers
In some of the messages, cyber criminals claimed the recipient had won a prize. Be wary of any email or SMS message that claims you've won a competition you didn't sign up for, as it's most likely a scam.
Watch out for spelling mistakes and foreign languages
The fraudsters wrote many of these Google Drive notifications and emails in broken English or Russian. Messages featuring broken English or languages different from your local language often indicate a scam.
How to Protect Your Data from Phishing Attacks: Tips for Cyber Security Leaders
Cybersecurity leaders can prevent phishing attacks by doing the following steps:
Educate your employees about phishing threats
Educate employees at all levels of the business about phishing attempts, and use phishing simulation tools to train them to recognize scams in a real-world scenario so they can detect scams whenever they encounter them.
Use security awareness training and phishing awareness training
Provide employees with a mix of security awareness training and phishing awareness training to keep social engineering threats top-of-mind among employees. Regular micro-learning sessions will give your employees ample opportunity to practice their phishing detection skills with real-world scenarios.
Train internal cybersecurity ambassadors to encourage phishing awareness
Choose a couple of team members to act as cybersecurity ambassadors to monitor employee phishing awareness. Train ambassadors about the latest threats and use phishing micro-learning modules to train other staff members.
Communicate regularly
Send ongoing communications and emails to employees about the importance of phishing awareness and provide guidance on how they can keep their personal and work environments secure.
Keep all IT systems updated and secure
Ensure your network defenses are up to date by downloading patches and updates for all software, applications, and operating systems. Combine regular software patching with malware protection and anti-spam software to reduce potential entry points to your network.
How to Protect Your Data from Phishing Attacks: Tips for Employees
If you want to ensure your team stays safe from phishing scams, here are some simple steps you can take:
Don't open emails from unknown senders
If you receive an email message, double-check the sender's name and email address to see if it's someone you recognize, and feel free to ignore it if you don't.
Don't click on links in emails
Be cautious of links sent by your email contacts. If you think a link is safe to click, you can hover your mouse over the URL to check the destination URL and see if the site it's taking you to is secure.
Inspect emails for suspicious elements
Ready your emails carefully and keep an eye out for red flags like spelling mistakes, grammatical errors, and any language that promotes urgency, as these indicate the message is malicious.
Stay ahead of cyber criminals
While it’s been two years since this Google Drive scam emerged, cybercriminals still use push notifications to trick users into infecting their devices with malware or clicking through to phishing websites.
As hackers innovate new scams, cybersecurity leaders can stay prepared by providing employees with regular security awareness training and phishing simulations so that employees have the confidence to spot and report scams when they see them.
An important first step is for employees to accurately identify phishing attacks
Try our phishing quiz to test your phishing knowledge.