Gmail Phishing Attack Reinforces that 2FA is the Cyber-Safety Belt We All Need

January 19, 2017

It is time to shift from a single password to multi-factor authentication

A new phishing scam designed to steal login credentials from Gmail customers is making headlines this week. And once again, we are reminded of the danger of relying on passwords as the only means of securing access to systems, apps or data.


The Gmail phishing attack has four key components:

  1. An email comes from someone you know who has already been victimized by this attack
  2. The subject is an actual one that the sender has previously used, along with an actual attachment that may have a familiar title
  3. If you click on the attachment expecting a preview, a second tab is opened with a Gmail login page that appears genuine
  4. If you log in again, you are compromised and the process starts over; new emails are generated with subjects and attachments from your account and sent out to your contacts

This attack is highly effective, because the emails are from known senders with familiar subjects and attachments. Most users are easily fooled into trusting a message from a known contact, which makes this scam easy to spread and propagate quickly.

While it is always prudent to check the URL of a link before clicking on it to verify its validity, the most reliable defense against attackers is to enable two-factor authentication (offered by Gmail since 2011!). Two-factor authentication involves combining an additional ‘factor’ – such as a code sent to your phone via text, voice call or mobile app – alongside a password. This raises the bar for security, making it much harder for attackers while giving consumers a “cyber safety-belt.”

Two-factor authentication thwarts the majority of hacks that target users and their bad habits, such as clicking on suspect links or using the same password across multiple applications. The sooner we embrace it, the sooner these hack headlines will subside. At some point, app providers should mandate the use of two-factor authentication whenever it is technically possible.

To learn more about today’s MFA, check out our eBook: “Level Up Your Security.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.