Online fraud attempts continue with sophisticated methods targeting email users, the latest of which was a phishing campaign targeting Gmail users through fake invitations that appear to be sent from trusted people.
A Gmail user told the Daily Mail that she almost lost her Google account after receiving a message that appeared to be a casual invitation from a friend. The message contained a button titled "View and Confirm Attendance," and clicking it redirected her to a login page that resembled official Google login pages, prompting her to enter her account details.
She said her initial suspicions were aroused by the unusual appearance of her friend's name in the message, along with a cryptic reference to an event called "Robin Carter," a name she had never heard before. Her suspicions deepened when she noticed the login page wasn't using Google's official domain.
She explained that what was most worrying was that the message was actually sent from her friend's email, after hackers had successfully compromised her account and used it to send fraudulent messages to contacts.
Rachel Toback, CEO of cybersecurity firm SocialProof Security, warned of the dangers of this type of attack, noting that email has become a major gateway to accessing banking, health, social media, and streaming accounts, since password reset links are usually sent via email.
She confirmed that once hackers gain access to an email account, they can access other accounts linked to it, including bank accounts and health insurance.
According to Tupac, scammers often rely on two main methods in these attacks. The first involves embedding malware within the invitation link, so that spyware is downloaded onto the victim's device as soon as the link is clicked, without any obvious notifications. This spyware then runs in the background to steal passwords and sensitive data and send them to the scammers.
The second method is known as "credential harvesting," where the victim is redirected to a fake login page that looks legitimate, and when the email and password are entered, the data is transferred directly to the hackers, giving them full access to the account.
Experts pointed out that hackers later use the stolen accounts to impersonate victims, send new fraudulent messages to friends and family members, and attempt to hack into other financial and service accounts.
These messages are designed to resemble genuine email invitations sent by popular platforms such as Paperless Post, Evite and Punchbowl, making fraud detection more difficult for the average user.
Cybersecurity experts advised verifying the authenticity of any email invitation before clicking on any attached links by contacting the sender directly via text message or phone call. They also advised avoiding using the same password for more than one account, as hackers often test stolen data on banking and financial services within a short time.
