On the day of his assassination, Abraham Lincoln signed the act that created the Secret Service. It wasn’t created to protect presidents, however. It was created to combat counterfeiting – around one-third of all currency in the US was counterfeit in the 1860s. We’ve been fighting counterfeiting ever since; counterfeiters figure out how to make a convincing copy of currency, and then new features are added to make it much more difficult going forward.
Counterfeiting isn’t limited to currency, though. Some cyber criminals and social engineers are among the best counterfeiters in the world and technology companies have worked hard to keep up with them. Most people know that there are bogus websites that try to steal your information. They also know about security features like the security lock next to a web address that indicates the website is secure. Security-conscious users know to look at a website carefully, making sure the web address and form layout is familiar before entering sensitive information.
The people trying to steal your password know all of this, and they’ve recently found a creative way to get past all of that scrutiny. And the answer is Google.
Manipulating Google Forms
Google has a product called Google Forms that’s used by individuals and companies to create online surveys. Critically, those surveys can be modified to look just like you want them to look. With a little bit of work, a social engineer can make them look like a login screen for another website. When you fill out the login information, however, you don’t get into your Citibank or CapitalOne account. Instead, you just submit your login info to someone on the other side, who acts quickly to steal money out of your bank account.
Because Google Forms are hosted by Google, they’ve got the HTTPS address and the security lock. The content comes from Google.com, not a suspicious address, and a casual web user could easily assume the banks are letting Google handle their online logins. And if the online thief has done a good job, the form looks almost identical to the one you fill out every time you view your bank info online. All it takes is one well-constructed email with a link to the Google Form to trick someone into giving out their bank login information.
How to Avoid Fake Bank Account Login Pages
The way to avoid these malicious counterfeit schemes is simple. Just as the US government periodically adds new security features to currency, users need to be more and more careful of time when dealing with email. If an email asks you to look at something personal or time-sensitive and provides a link, the safest thing to do is to never click on it. Instead, type the name of the provider into your web browser directly, and log in that way. Or, call your bank (or other service provider) directly. Because no matter how convincing the cyber criminals make their form, they’ve got to find a way to get you there – and usually it’s a bogus email link.
To learn how modern cybersecurity strategies can help mitigate these risks, call us at 919-460-7011 or visit https://www.wingswept.com/managed-services/cyber-security/.