Watch for hard-to-spot GMail phishing scam

This information was sent to the IT Security Community and Frontline Notify groups on January 19, 2017

You and those you support may be seeing reports in the news about a phishing scam making use of GMail (see references below). This is similar to many common phishing scams, so we are again reminding people to exercise caution. Please share the information below with people in your areas as appropriate.

How the Phishing Scam Works

  • Hackers use a compromised account to send email to the people listed as contacts for that account. The email contains an attachment taken from email previously sent from the compromised account.
  • Because the recipient recognizes the sender, and possibly the name of the attachment, they click the attachment.
  • The recipient's web browser opens to what looks like a sign-in page. In this most recent scam, it looks like the Google sign-in page. Login pages for many other commonly used services are also targeted, including some U-M services. Often the only way to identify the fake login page is to look at the URL or web address. In the GMail scam, there is additional text inserted before the "https."
  • When the recipient signs in, their login information is stolen, and their account is compromised. It can then be used to send phishing emails to all their contacts.

How to Avoid this Scam

Only enter your UMICH (Level-1) password on the U-M Weblogin page to log in to Google at U-M.

  • If you are directed to the Google sign-in page, enter your email address in the form of [email protected], then click Next.
  • If you are asked to select an account, select the Organizational Google Apps Account owned by umich.edu.
  • You should then see the Weblogin page. Check that the web address begins with https://weblogin.umich.edu/ before logging in.

Tips for Avoiding Similar Scams

  • If you are at all suspicious of an email attachment, check with the apparent sender before opening it.
  • Check the web address before logging in. If there is something in front of the https, and there's no lock symbol, that's a problem.
  • Get to know the login addresses of the sites you use most frequently.
    • U-M Weblogin begins with https://weblogin.umich.edu/
    • Google sign-in begins with https://accounts.google.com/

Turn On Two-Factor for Added Protection

We recommend that all members of the U-M community turn on two-factor for Weblogin. Once you turn it on, a hacker cannot use a stolen UMICH password to compromise your account. With two-factor, anyone trying to log into your U-M account must know your uniqname and password and have your second proof of ID. U-M uses Duo Security for two-factor authentication.

If You Think You Got Caught

  • Change your UMICH (Level-1) password immediately at password.it.umich.edu.
  • You can check logins for your GMail account by scrolling to the very bottom of your email message window and clicking the Details link. If you see suspicious login activity, contact the ITS Service Center.
  • If the scam message came from a U-M address, please report it to the ITS Service Center.