What Can We Learn from Pop-Up Phishing?

While collecting and analyzing baits used in phishing, you may have noticed banality – scammers’ fake email are lame unless for first-time encounters. Hence, you are confident in saying “I’ll never click suspicious links and leak my personal information.” What’s more, you may have survived phishing campaigns against holidays and tax filing seasons one and after another. However, when you are working hard seeing through their tricks, scammers are dedicated to new and tricky scams, for example, Google Calendar phishing.

What is Google Calendar phishing?

The Google calendar phishing, detected by Kaspersky experts, is a variation of email phishing wearing the mask of Google Calendar notification.

In the scam, targeted users receive notification on their mobile phones with short event descriptions like, “You’ve received a cash reward,” or “There’s a money transfer in your name.”

Taking the bait and clicking the notification, users enter personal information into the malicious form; or under the attractive premise to pay a small amount of money to win a large sum, users may be asked to enter their credit card information.

Phishers have adopted this strategy to hide phishing links in files like RSVP form or other documents.

What is the tricky point?

While Google Calendar is a legitimate and reliable online service, its notifications could be unsolicited. This is because mobile users of Gmail share a common default feature: the automatic addition and notification of calendar invitations.

Scammers exploiting this feature thus can send a wave of spamming emails containing calendar event invites, of course, with phishing links in them.

Unlike the majority of email scams that claim themselves to be a credible authority yet expose themselves simply through an email address, Google Calendar phishing boasts much more credibility.

Take-home messages

Everything else, except its Google Calendar camouflage, is as plain and banal as its fellow phishing cases. Nevertheless, this “new” phishing has given us some take-home messages:

  • Don’t take the bait as long as you don’t believe in money coming from nowhere;
  • Consider turning off the default feature in Gmail if you are not burdened with an overwhelming amount of arrangements;
  • Set up two-factor authenticator to avoid identity theft, in case of slipping into phishing;
  • Detect your email with Mr. Post to decide any risks neglected by bare eyes (or minds).

2019-11-04T16:32:23+08:00June 21st, 2019|Insight|