What You Need to Know About the New Google

Drive Scam
With the use of remote working and collaborative tools on the rise amid the Covid-19 pandemic, cyber
criminals discover new ways to reach users. In a recent scam, hackers targeted hundreds of thousands of
Google users with fake Google Drive notifications and emails to trick them into visiting malicious websites.

The cyber attack was a new type of phishing scam. A fraudster attempts to mislead the victim into clicking
on a malicious link and giving up personal information or downloading malware. Since the start of the
global pandemic, there has been a substantial increase in online scams, with a 667% increase in Covid-19
related email scams.

As phishing attacks become more common and sophisticated, being able to detect phishing attempts is
business-critical. This article will examine what happened during the Google Drive Scam and identify how
to prevent similar phishing attempts.

The 2020 Google Drive Scam: Here’s What Happened

As part of a Google Drive phishing scam, hackers sent push notifications and emails to thousands of
Gmail users, which invited the recipient to collaborate on a Google doc. Users that clicked on the push
notifications were taken to a document containing a large link to a malicious website (the emails also
featured malicious links).

The notifications came from an official no-reply Google address, that made them look authentic and
featured a range of messages written in broken English or Russian. For example, some claimed the
recipient had won a prize, whereas other messages prompted recipients to review their financial
transactions.

While phishing scams are nothing new, the use of push notifications caught many users off guard, which
has led Google to focus on implementing new measures to identify malicious use of Google Drive
notifications.

5 Lessons to Learn from the Google Drive Scam

The Google Drive scam offers some key learning opportunities for enterprises:

1.   Hackers can send push notifications

Fraudsters can weaponize push notifications, just like email and SMS messages. It’s important to be
skeptical of unusual push notifications the same way you would be if you received any unsolicited online
chat, email, or SMS message.

2.   Be wary of “official” no-reply addresses

The hackers ensured that victims received notifications from a no-reply Google address to gain the
recipient’s trust. Scrutinizing emails for discrepancies such as spelling mistakes and suspicious links is
vital for detecting scam emails from email addresses that appear convincing at first glance.

3.   Don’t click on suspicious links

Hackers will try any medium they can to mislead users into clicking on links to malicious sites, so if you
see a suspicious link in an email or inside a Google Doc, don’t click on it so that you don’t get taken to a
malicious site.

4.   Be wary of prize offers

One of the messages sent by the cyber criminals claimed that the recipient had won a prize. Any email or
SMS message that claims you’ve won a competition you didn’t sign up for is most likely a scam.

5.   Watch out for spelling mistakes and foreign languages

The fraudsters wrote many of the Google Drive notifications and emails in broken English or Russian.
Messages featuring broken English or foreign languages different from your local language indicate a
scam.

How to Protect Your Data from Phishing Attacks: Tips for

Cyber Security Leaders
Here is how cyber security leaders can prevent phishing attacks:

1.   Educate your employees about phishing threats

Educate employees and system administrators about phishing attempts, and use phishing simulation tools
to train them to recognize scams in a real-world scenario to detect scams any time they come across one.

2.   Use security awareness training and phishing awareness training

Provide a mixture of security awareness training and phishing awareness training to ensure phishing and
social engineering threats remain top-of-mind for employees. Recuring training helps to keep employees
up to date with the latest threats. Use phishing simulations to expose your users to a variety of real-world
scenarios and allow them to practice their phish detection skills.

3.   Train internal cyber security ambassadors to encourage phishing

awareness
Designate a couple of your team members as cyber security ambassadors to monitor employee phishing
awareness. Train ambassadors about the latest threats and encourage the use of phishing microlearning
modules to train other staff members.
4.   Maintain constant communications
Send ongoing communications to employees about the latest phishing threats and provide guidance on
cyber security best practices so they can keep your environment secure. For instance, you can send out
an email warning about the new Google Drive scam and highlight the dangers of clicking on malicious
emails and URLs.

5.   Keep all IT systems up to date and secure

Maintain your network defense by keeping all software, applications, and operating systems up to date.
Regularly patching software and implementing malware protection or anti-spam software will reduce the
number of vulnerabilities an attacker can exploit.

How to Protect Your Data from Phishing Attacks: Tips for

Employees
Here are some essential tips to ensure your team stays safe from phishing scams:

1.   Don’t open emails from unknown senders

Never open messages sent by unknown senders. Whenever you receive a new message, inspect the
sender’s name and email address to see if it’s someone you recognize. You can also verify the sender’s
identity by contacting them in-person or over the phone.

2.   Don’t click on suspicious links

Be cautious of any links you receive from unfamiliar sources. Malicious links can take you to phishing sites
and infect your device. Hovering your mouse cursor over URLs is a great way to check the destination
URL. If you’re still unsure about the link’s validity, you can always visit the official website manually
through the search bar.

3.   Inspect email text for suspicious elements

Carefully read the body text of all emails from unfamiliar sources and watch out for red flags like spelling
mistakes, grammatical errors, and any language that promotes urgency. If the message originates from a
trusted sender, validate the context and request for relevance. If in doubt, contact the sender via another
means.

Recap
The Google Drive scam showed that even push notifications aren’t beyond the reach of cyber criminals.
With hackers continually trying out new scams, cyber security leaders need to be proactive and equip
employees with the knowledge to detect threats independently.
Regular cyber security awareness training is fundamental to staying up to date on the latest techniques
scams used by fraudsters. Training based on real-life scenarios and phishing simulations dramatically
reduces an employee’s chance of clicking on a malicious link.