Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    • Blog
      • /
    • Phishing
      • /
    • Phishing Links Sent Via Legitimate Google Drive Notifications

    Phishing Links Sent Via Legitimate Google Drive Notifications

    Stu Sjouwerman | Nov 5, 2020

    google drive notification phishing linkScammers are abusing a Google Drive feature to send phishing links in automated email notifications from Google, WIRED reports. By mentioning a Google user in a Drive document, the scammers can cause Google to generate a notification that will be sent straight to the user’s inbox, bypassing spam filters.

    “The smartest part of the scam is that the emails and notifications it generates come directly from Google,” WIRED explains. “On mobile, the scam uses the collaboration feature in Google Drive to generate a push notification inviting people to collaborate on a document. If tapped, the notification takes you directly to a document that contains a very large, tempting link. An email notification created by the scam, which also comes from Google, also contains a potentially malicious link. Unlike regular spam, which Gmail does a pretty good job of filtering out, this message not only makes it into your inbox, it gets an added layer of legitimacy by coming from Google itself.”

    WIRED says this technique has been observed frequently over the past few weeks, so users should be on the lookout.

    “The scammers are working their way through a huge list of Gmail accounts, with scores of people reporting similar versions of the attack in recent weeks,” WIRED says.

    Google said it’s working on new ways to detect malicious activity, but David Emm, a principal security researcher Kaspersky, told WIRED that this could be a challenge.

    “It’s difficult for Google to do anything if the notification is coming from a legitimate account, which is, of course, easy to create,” Emm said. “Avoid clicking on unsolicited links of any kind when sent from unknown sources. If you weren’t expecting to receive it and don’t know the sender, don’t respond.”

    In this case, the messages are clumsily written and would make many users suspicious. However, a more talented attacker could easily craft a much more convincing scam using this method. This attack is particularly insidious in the organizational context, where co-workers commonly share their work product using Google Docs. New-school security awareness training can help your employees avoid falling for new and unexpected phishing techniques.

    WIRED has the story.

    Topics: Phishing Security Awareness Training

    Discover Your Organization’s Phish-prone™ Percentage

    Ninety-one percent of data breaches begin with spear phishing. Launch our Free Phishing Security Test for up to 100 users to uncover your team's vulnerability and see how your security posture stacks up against industry benchmarks.

    Get Your Free Phishing Security Test

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All