Adam Griffin from Seattle in the US is still in disbelief over how quickly he was robbed of nearly US$500,000 in cryptocurrencies. A scammer called him using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com and ultimately seized control over the account by convincing him to click 'yes' to a Google prompt on his mobile device.
Brian Krebs from
KrebsOnSecurity says a single 'yes' click on a Google prompt costs two cryptocurrency investors, including Mr Griffin and Tony, millions of dollars after they fell victim to sophisticated phone scammers impersonating Google support.
According to the report, while Mr Griffin lost nearly US$500,000, a scammer impersonating Google managed to phish 45 bitcoins—about US$4.725mn (million) at today's value—from Tony.
In an era where digital security is paramount, fraudsters continuously evolve tactics to exploit technological advancements as well as loopholes in technology systems. Two recent targets are Google Prompt and Google Authenticator which have become critical components to secure online accounts through multi-factor authentication (MFA).
In response to questions from KrebsOnSecurity, Google said it could confirm that this was a narrow phishing campaign that reached a 'very small group of people'. "We are aware of this narrow and targeted attack and have hardened our defenses to block recovery attempts from this actor," the company said in a written statement which emphasised that the real Google will never call you.
While you may or may not be a target of cybercriminals who are misusing Google Prompt and Google Authenticator, it is always better to learn about these scams and be prepared.
First, let us understand Google Prompt and Google Authenticator.
Google Prompt is an app that allows two-step verification by sending a real-time push notification to your registered device, asking you to confirm a login attempt. It simplifies the verification process, removing the need for one-time passwords (OTPs) sent via SMS or email to log in to your Google account. While convenient, Google Prompt is clearly not immune to fraud.
Cybercriminals tend to trick users into providing login credentials through fake websites or emails. They use these credentials to trigger a Google Prompt on the victim's device. Fraudsters can also send repeated login prompts to the victim's device, hoping that the victim will approve one of them out of frustration, fear, or confusion.
Google Authenticator is an app that generates time-based one-time passwords (TOTP) for MFA. Each code is valid for a limited time (30 seconds or so), ensuring an added layer of security. You can club Google Authenticator with any of your accounts as a MFA. You need to provide a username and password to log in to any of your accounts. If you are using any authenticator app as MFA, then after filling in the password, the next screen asks you to provide the code from the authenticator app.
Cybercriminals impersonate legitimate entities and request the victim to share their TOTP from the authenticator app. Fraudsters can gain initial access to an account and sync the Authenticator app with their device, rendering the victim powerless to reset passwords. Further, malware on a victim's device can intercept, copy and transfer the TOTP codes.
Maintaining the security of your Google account requires a proactive and layered approach. While tools like Google Prompt and Google Authenticator provide robust defences, their effectiveness hinges on how you use and protect them.
By understanding the methods fraudsters employ and implementing some strategies, you can mitigate risks and safeguard your digital presence.
Here are a few suggestions for keeping your Google accounts safe.
1. Always enable multi-factor authentication (MFA):
While both Google Prompt and Google Authenticator are MFA methods, you can consider using some additional layers like hardware security keys or backup codes stored securely offline.
2. Be vigilant about login prompts:
Do not approve a Google Prompt unless you are actively logging in. Never approve a Google Prompt when asked by anyone. Also, pay attention to login attempt emails or notifications from Google.
3. Strengthen password security:
Use a password manager to generate and store complex, unique passwords. You can also use Google's Password Check-up Tool to identify weak or compromised passwords. But use it only as a guide and not something to create a robust password.
4. Safeguard Google Authenticator:
Backup Google Authenticator data. You can also use Google's account transfer feature to back up TOTP codes securely.
Never share your TOTP with anyone, even if they claim to be from Google.
Keep your phone's operating system and apps updated to minimise vulnerabilities.
5. Beware of social engineering tactics:
Educate yourself about phishing techniques and scrutinise emails, messages and websites for authenticity.
Verify unexpected requests by contacting the entity directly through official channels.
6. Deploy advanced security features:
Enable enhanced safe browsing: This provides real-time protection against harmful websites.
Use Google's security check-up: Regularly review your account settings and activity for suspicious behaviour.
7. Implement device-level security:
Enable biometric or PIN locks on your devices.
Regularly scan for malware and suspicious apps.
8. Regularly review account activity:
Use the Google Account Activity tool to monitor recent logins. Also immediately revoke access to unrecognised devices or apps, if any.
9. Educate your near & dear ones:
Awareness about cyber fraud is crucial not just for yourself but also for family members, friends or colleagues who may share sensitive information inadvertently.
10. Stay informed about security updates:
Google frequently updates its security features. Stay informed about new tools and recommendations through Google's official blogs or announcements.
Cybercriminals leverage human error, social engineering and technical vulnerabilities to bypass these protections. By following the above suggestions, you can significantly enhance your account security and stay one step ahead of cybercriminals.
Remember, vigilance and proactive measures are your best defence against evolving fraud tactics.
Stay Alert, Stay Safe!