Emerging Threats

How a Gmail password stealing scam works

Authored by a Symantec employee


Sophisticated cybercriminals have devised a way to steal email credentials that bypasses two-factor authentication security and doesn’t rely on otherwise easy-to-spot phishing methods. Here’s what you need to know to protect yourself from this email password stealing scam.

A security suite that helps protect your devices.

Free security software just doesn’t have the resources to keep up with new threats as they emerge. That’s why you need a multi-layered defense to security. Meet Norton Security Premium — protection for up to 10 of your devices.

Who is affected?

Symantec researchers have found this scam largely targets Gmail, Hotmail, and Yahoo Mail users. However, everyone with an email account should be aware of how this scam works to avoid falling victim.

See how the scam works. In just a few quick steps, cybercriminals trick victims into disclosing email credentials.

How does the scam work?

To initiate this scam, cybercriminals need to know the email address and associated phone number of the user. Both of these contact details can often easily be obtained. With this information handy, an attacker can then capitalize on the password recovery feature that allows an email user to gain access to their account by a verification code sent to their mobile. In these quick steps, a cybercriminal can gain access and takeover an email account:

  1. An attacker obtains a victim’s email address and phone number – both of which are usually available.
  2. The attacker poses as the victim and requests a password reset from Google.
  3. Google sends the code to the victim.
  4. The attacker then texts a victim with a message, baiting them to share the verification code while posing as the email provider.
  5.  The victim passes the verification code on to the “email provider” unknowingly giving this information to the attacker.
  6. The attacker uses the verification code to reset the password, gaining access to the email account.

With access to the account, an attacker could lock out the victim. The attacker could also add an alternate email address to the account without the victim’s knowledge in order to forward copies of all messages sent to the address. Meanwhile, the victim would not know that their private messages are being intercepted.

What is at risk?

With access to an email account an attacker can exploit personal details found in your inbox. Symantec researchers studying the attack have found that cybercriminals carrying out this scam are not usually after financial information, but gathering information about their targets.

How to avoid this scam

Be aware of suspicious SMS text messages asking about email verification codes. If you are unsure if a request is legitimate, contact the email service provider directly.

Also, keep in mind password best practices such as using a unique password across all accounts.

Our best protection. One low price

Norton Security Premium helps protect up to 10 of your Windows PCs, Macs, Android smartphones or your iPads.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.