52 votes

So I fell for a phishing

In a moment of distraction, I fell for a phishing phone call and compromised my Google account. It took me 13 minutes to realize how catastrophically stupid I am and begin frantically changing passwords. I've run the official Google "secure your account" process probably 10 times (though 9 of those times there was nothing to do). I've checked all my financial info, changed passwords on all sorts of things. As far as I can tell, other than gaining access to my Gmail, I don't think anything else was compromised.

How boned am I? I've got 2FA on basically anything remotely important, and I've had decent password hygiene (although I do use the Google password manager, so that's probably comprimised). Is there something else I should do or be on the lookout for?

37 comments

  1. [12]
    skybrian
    Link
    Maybe look through Gmail settings for anything suspicious? For example, make sure mail isn't being forwarded anywhere.

    Maybe look through Gmail settings for anything suspicious? For example, make sure mail isn't being forwarded anywhere.

    31 votes
    1. [11]
      Rudism
      Link Parent
      I would also check "linked apps," "your devices," and "app passwords," as these are all ways someone could potentially maintain access to your account even if you change your normal account...

      I would also check "linked apps," "your devices," and "app passwords," as these are all ways someone could potentially maintain access to your account even if you change your normal account password and have 2fa enabled.

      26 votes
      1. [10]
        Rhodytbone
        Link Parent
        Thanks for those suggestions. All looks clean.

        Thanks for those suggestions. All looks clean.

        9 votes
        1. [9]
          DistractionRectangle
          Link Parent
          If you haven't, rotate your backup codes: https://support.google.com/accounts/answer/1187538?hl=en&co=GENIE.Platform%3DDesktop&oco=0
          7 votes
          1. [7]
            updawg
            Link Parent
            I'm curious where super nerds, nerds, and regular people keep their backup codes. I guess you could put them in a password manager...?

            I'm curious where super nerds, nerds, and regular people keep their backup codes. I guess you could put them in a password manager...?

            3 votes
            1. [6]
              sum4
              Link Parent
              That's where I do yes, regular nerd I guess?

              That's where I do yes, regular nerd I guess?

              2 votes
              1. [5]
                updawg
                Link Parent
                I mean to ask if people print them, store them in a password manager, just store them plaintext in a note on their phone because the note is encrypted on-server anyway, etc.

                I mean to ask if people print them, store them in a password manager, just store them plaintext in a note on their phone because the note is encrypted on-server anyway, etc.

                1 vote
                1. DistractionRectangle
                  Link Parent
                  I keep a cd in the back of a drawer in a cardboard sleeve + a separate bitwarden vault for important but rarely needed things. Nothing wrong with paper if that works for people.

                  I keep a cd in the back of a drawer in a cardboard sleeve + a separate bitwarden vault for important but rarely needed things.

                  Nothing wrong with paper if that works for people.

                  2 votes
                2. sum4
                  Link Parent
                  I store them as a note on the entry in bitwarden to keep it all organised, I've got my 2fa in there also, willing to risk all eggs in one basket as I use a hardware key

                  I store them as a note on the entry in bitwarden to keep it all organised, I've got my 2fa in there also, willing to risk all eggs in one basket as I use a hardware key

                  1 vote
                3. Sheep
                  Link Parent
                  I have them in a note in my password manager (I know, bad hygiene) but also inside a note in the usb flash drive which contains my Linux OS install, which I always have around in case my OS ever...

                  I have them in a note in my password manager (I know, bad hygiene) but also inside a note in the usb flash drive which contains my Linux OS install, which I always have around in case my OS ever breaks.

                  1 vote
                4. lhamil64
                  Link Parent
                  At least for the important ones (Google, my password manager, etc) I print them and store them in a safe place with my other sensitive documents. I personally avoid putting 2fa or backup codes in...

                  At least for the important ones (Google, my password manager, etc) I print them and store them in a safe place with my other sensitive documents. I personally avoid putting 2fa or backup codes in my password manager because that defeats the whole purpose. If someone were to gain access to my password manager, they’d still need access to the second factor or backup codes.

                  1 vote
          2. Rhodytbone
            Link Parent
            I didnt know this was a thing! I've never used backup codes, and there didn't seem to be any, so I generated some and rotated them. Thanks!

            I didnt know this was a thing! I've never used backup codes, and there didn't seem to be any, so I generated some and rotated them. Thanks!

            1 vote
  2. [3]
    everythingisblue
    Link
    Sorry to hear that! I don’t have advice for you, but I’m interested in the details of the phone call so I know what to look out for if you don’t mind sharing.

    Sorry to hear that! I don’t have advice for you, but I’m interested in the details of the phone call so I know what to look out for if you don’t mind sharing.

    15 votes
    1. [2]
      Rhodytbone
      Link Parent
      It was a boring, very routine feeling experience. Honestly, the biggest warning sign was getting a call at all. I'll never pick up the phone again for any company and just initiate all phone...

      It was a boring, very routine feeling experience. Honestly, the biggest warning sign was getting a call at all. I'll never pick up the phone again for any company and just initiate all phone communication from now on.

      9 votes
      1. Pistos
        Link Parent
        This is the way to go. In the last several years, I can't remember any important interaction that was them->me. Always me->them, except for fairly trivial stuff, like confirming that I am going to...

        and just initiate all

        This is the way to go. In the last several years, I can't remember any important interaction that was them->me. Always me->them, except for fairly trivial stuff, like confirming that I am going to an appointment that I am certain that I booked.

  3. [14]
    infpossibilityspace
    Link
    First of all great job in recognising it (better late than never!) and staying calm enough to secure your account quickly. I'm curious what they asked you to do? They triggered an MFA event and...

    First of all great job in recognising it (better late than never!) and staying calm enough to secure your account quickly.

    I'm curious what they asked you to do? They triggered an MFA event and got you to enter/tell them the code?

    The Google thing would have invalidated all active sessions, kicking them out of anything they could access. The two things that might be an issue are (1) can they get back in, and (2) what could they do with the info they saw.

    Regarding (1), I would double-check they didn't add a new MFA device to your account or disable the MFA option. That's pretty much the only thing they can do to regain access other than phishing you again.

    For (2), I'd keep a watchful eye on your bank statements for any transactions you don't recognise, at least for the next month or two. If your profile has lots of personal info on it (addresses etc.), also keep an eye out for indicators of identity theft, like unexpected letters or your credit rating suddenly dropping.

    I don't think there's much else you can do at this stage other than keeping a keen eye for anything suspicious, I'd be curious if other people here have ideas (edit, @skybrian and @rudism note some great things to check, in line with (1)). If you do see something, I'd advise getting in touch with your bank/local authorities just in case.

    Fun fact, phishing via a phone call is known in the industry as "vishing" (voice-phishing)!

    11 votes
    1. [13]
      Rhodytbone
      Link Parent
      I'm so embarrassed. I know better. The attacker had an American male accent. He didn't ask me for any information and provided me with enough of my info that it was credible. He sounded bored. He...

      I'm so embarrassed. I know better.

      The attacker had an American male accent. He didn't ask me for any information and provided me with enough of my info that it was credible. He sounded bored. He presented himself as part of google's security team (as I type this i'm cringing) and said that he was stopping an attempt to change my account information. I was distracted by work and I'm a little sick and once the alarm bells went off I was too impatient to stop and think. They did trigger an mfa attempt and I told them the code. It's so obvious in hindsight.

      Step one of the Google account recovery rehab thing was to review MFA devices and accounts, so that should be good. I'll check out those other Gmail settings too before I go to bed tonight. Idk what kind of damage he could have done in 13 minutes, but I have 10s of thousands of old emails in that account. I don't know if there's an easy way to download them all or if that's a thing people even do.

      18 votes
      1. [3]
        zoroa
        Link Parent
        Thank you for talking about this. It's not your fault. Even the people who really really know better get phished: The guy who made HaveIBeenPwned.com The innumerable amount of Open Source...

        I'm so embarrassed. I know better.

        Thank you for talking about this.

        It's not your fault. Even the people who really really know better get phished:

        These scams are so widespread because they count on shame keeping people silent. They prey on folks who may be tired, stressed, or otherwise wouldn't expect someone to target them to do them harm. I really appreciate you making the topic, and engaging with folks in the thread. If its any solace, you're helping folks avoid similar situations.

        26 votes
        1. [2]
          infpossibilityspace
          Link Parent
          Absolutely this. I work in cyber and have even seen people trained in this stuff get caught out by lapses of judgment. In a way we're almost more likely to because we get overconfident and...

          Absolutely this. I work in cyber and have even seen people trained in this stuff get caught out by lapses of judgment. In a way we're almost more likely to because we get overconfident and complacent.

          It's a good reminder to stay humble.

          14 votes
          1. Noox
            Link Parent
            Like I said to the OP, I'm the Privacy Officer for my company and they also got me once. Slightly distracted and an email just plausible enough that it didn't trigger the correct warning signs. My...

            Like I said to the OP, I'm the Privacy Officer for my company and they also got me once. Slightly distracted and an email just plausible enough that it didn't trigger the correct warning signs. My damage was very minimal luckily, just embarrassment really - but that's why I told the entire company after that if it happened to me it can absolutely happen to you.

            9 votes
      2. [3]
        Carrow
        Link Parent
        Don't be too hard on yourself, they're counting on catching folks distracted or distressed enough to overlook the signs, it happens. You recognized quickly, took mitigatory steps, and sought help...

        Don't be too hard on yourself, they're counting on catching folks distracted or distressed enough to overlook the signs, it happens. You recognized quickly, took mitigatory steps, and sought help -- basically the next best thing.

        16 votes
        1. [2]
          Rhodytbone
          Link Parent
          Thank you. I need to remember to be at least a little but kind myself

          Thank you. I need to remember to be at least a little but kind myself

          10 votes
          1. Noox
            Link Parent
            I'm the literal Privacy Officer for my 150+ person company and I sent my phone number to the '''CTO''' in a moment of distraction. It was early, and I'd have a conversation with them about...

            I'm the literal Privacy Officer for my 150+ person company and I sent my phone number to the '''CTO''' in a moment of distraction.

            It was early, and I'd have a conversation with them about something they wanted me to check on the day before; So when I got the email of 'send me your phone number so I can send you details on a task for today' I checked out all critical thinking and just went 'Okay, here it is! 😄'.

            Point being, it happens to all of us - and they know it does. That's why it's a numbers game. All they need is 1 out of 1000 people to be distracted, or unfamiliar with what phishing is, or a little sick that day - and they win.

            Good on you for recognising it almost immediately and taking steps to minimise the damage. I echo the other commenter - don't be so hard on yourself :)

            6 votes
      3. dirthawker
        Link Parent
        I have some history of studying spammers and scammers going back to the early 2000s, so I like to think of myself as pretty savvy. But I got super close to being had last year. Someone called up...

        I have some history of studying spammers and scammers going back to the early 2000s, so I like to think of myself as pretty savvy. But I got super close to being had last year. Someone called up spoofing a phone number of my HMO and asking about my surgery. It had to have been sheer coincidence I had recently had a procedure done that would be considered a surgery, so I assumed it was about that. I answered an awful lot of questions. My spidey sense went off when he gave a wrong date for the procedure, and full alarm bells rang when he started talking about the FDA. Told them I was busy and had to go. I got phone calls for the next 3-4 weeks, multiple times a day, spoofing different locations of the HMO, and they gave up after that. Don't kick yourself. It's just a shame that scammers have destroyed our ability to trust the institutions we use.

        9 votes
      4. [3]
        goose
        Link Parent
        The two quick ways to do that would be: If they initiated a Google Takeout, which you can check at: https://takeout.google.com (Look at "Export progress" at the bottom, packaging a Takeout takes...

        I don't know if there's an easy way to download them all or if that's a thing people even do.

        The two quick ways to do that would be:

        1. If they initiated a Google Takeout, which you can check at: https://takeout.google.com (Look at "Export progress" at the bottom, packaging a Takeout takes hours to days, depending on how much data you have).

        2. If they were offloading all your mail via an IMAP client. You should be able to see everywhere your account is actively signed in somewhere (at the bottom of the GMail page I think?). Additionally, given you have MFA enabled, they would have had to generate an App password to do that. The linked page will list any active app passwords associated with your account.

        So long as you changed your password and signed out everywhere, and don't have any app passwords you don't recognize, I don't think you have a ton of immediate threat. My next concern would be if they compromised your Google Password Manager, but I'm not much help there, I'm a BitWarden user myself.

        7 votes
        1. [2]
          Rhodytbone
          Link Parent
          There doesn't seem to be anything exporting and there are no app passwords on my account. My next step is to sign up for bitwarden. Do you actually pay for the service or just do the free option?

          There doesn't seem to be anything exporting and there are no app passwords on my account.

          My next step is to sign up for bitwarden. Do you actually pay for the service or just do the free option?

          4 votes
          1. goose
            Link Parent
            I self host VaultWarden, but that's just because I'm a home labber. My best friend pays for BitWarden, and has been happy. Depending on your needs, there's nothing wrong with the free version. The...

            I self host VaultWarden, but that's just because I'm a home labber. My best friend pays for BitWarden, and has been happy. Depending on your needs, there's nothing wrong with the free version. The "smartest tech guy I know" (@SnoFox but he hasn't really actually been on the site since I invited him) uses 1Password. I don't think they have a free option, but knowing how much I value his opinions when it comes to ITSec, it'll be my first choice if I ever have a reason to move off BitWarden.

            That said, there may not be anything intrinsically wrong with keeping on with Google Password Manager. I just can't say, I've been on BitWarden since before Google Password Manager existed. Maybe it's good, and still fine for your needs? Someone else can probably chime in, who has more specific knowledge.

            2 votes
      5. overbyte
        Link Parent
        It reminds me of the fact that Google is one of those original companies who absolutely do not want to let you ever talk to a human, so having someone call claiming to be from them is suspicious...

        It reminds me of the fact that Google is one of those original companies who absolutely do not want to let you ever talk to a human, so having someone call claiming to be from them is suspicious enough. But a scammer only has to be successful at least once.

        Seconding being vigilant about any changes to MFA as well. Google lets you also skip password logins in favor of passkeys when you have one attached to the account. If you're concerned about portability, you can put a passkey on a password manager like Bitwarden. I'm personally in favor of separating your store of passwords out of systems you need them to, so Google, the iCloud keychain, and browsers being helpful with storing passwords are out.

        6 votes
      6. Octofox
        Link Parent
        This is a big part of why tech companies have been pushing Passkeys, they physically prevent you from falling for phishing attacks.

        This is a big part of why tech companies have been pushing Passkeys, they physically prevent you from falling for phishing attacks.

  4. [3]
    patience_limited
    Link
    In the U.S., if you suspect your identity is at risk, you should place a freeze on your credit reports with all three reporting bureaus. This will (hopefully) prevent new cards from being issued...

    In the U.S., if you suspect your identity is at risk, you should place a freeze on your credit reports with all three reporting bureaus. This will (hopefully) prevent new cards from being issued in your name under someone else's control. It can be a pain to unfreeze everything again quickly, but it's good security to keep your credit records frozen until you know there will be an event where you have to intentionally give someone access (job or housing background checks, etc.).

    You can also (usually) set up a maximum single transaction withdrawal limit with your bank, and notifications for any withdrawals above a certain threshold.

    I hate to say it, but it might be good hygiene to notify everyone in your GMail contacts to be suspicious of messages that apparently come from your address for a while. Account access isn't just about hijacking, it can involve harvesting your network to gain access to higher value accounts.

    11 votes
    1. [2]
      zipf_slaw
      Link Parent
      I believe this is best practice these days even if you don't suspect issues. It's easier than ever to manage the freezes, so it's kind of simple to keep it locked proactively. Mine has been locked...

      In the U.S., if you suspect your identity is at risk, you should place a freeze on your credit reports with all three reporting bureaus.

      I believe this is best practice these days even if you don't suspect issues. It's easier than ever to manage the freezes, so it's kind of simple to keep it locked proactively. Mine has been locked for over 5 years now

      12 votes
      1. Rhodytbone
        Link Parent
        Yeah, credit is already frozen by default. Been getting those dark web alerts for quite a while

        Yeah, credit is already frozen by default. Been getting those dark web alerts for quite a while

        4 votes
  5. [4]
    Rhodytbone
    Link
    I just want to thank everyone for their kind words and helpful advice. I was spiraling pretty hard yesterday. I think the point of the attack was to change some of my Gmail settings (which was...

    I just want to thank everyone for their kind words and helpful advice. I was spiraling pretty hard yesterday. I think the point of the attack was to change some of my Gmail settings (which was apparently fixed by the Google secure your account tool. The first time I ran the process it reported something suspicious there).

    I feel so paranoid about what the attacker might have access to. What kind of damage can he do in my health insurance portal? In my old reddit account? In my target.com account? Changing all those credentials is going to take hours.

    6 votes
    1. chocobean
      Link Parent
      And I want to thank you for making this thread as well. Truly, confession is good for the soul and beneficial to everyone around us. Your post might have saved a lot of us. Couple months ago I...

      And I want to thank you for making this thread as well. Truly, confession is good for the soul and beneficial to everyone around us. Your post might have saved a lot of us.

      Couple months ago I failed one of my company's internal phish test and was made to re-take Phishy the Phishing Awareness Fish course with a literal cartoon fish. It was humiliating. Work had recently switched extended health providers, I was working through a crazy expensive orthodontics braces claim with the new provider and they were being boogers, and without thinking I clicked on an email titled something like "IMPORTANT: Health Plan Changes For Salaried Employees".

      Hopefully your attacker was actually a bored call center peon whose job it was to collect accounts to pass up to someone else, and so nothing else was done to it yet.

      4 votes
    2. [2]
      tomf
      Link Parent
      if you aren't using bitwarden or another password manager, now is an excellent time to get started

      if you aren't using bitwarden or another password manager, now is an excellent time to get started

      1 vote
      1. Rhodytbone
        Link Parent
        Yeah, that's on my list for today for sure.

        Yeah, that's on my list for today for sure.

        1 vote
  6. Pistos
    Link
    I haven't seen this mentioned yet in the threads, but I wonder: Isn't it the case that most major service providers (including Google/Gmail) send a notification email when there's a sign-in from...

    I haven't seen this mentioned yet in the threads, but I wonder: Isn't it the case that most major service providers (including Google/Gmail) send a notification email when there's a sign-in from an unusual location? I suppose the attacker could quickly delete that email, but if you had another device also refreshing email, you might have seen it first. And, if you have a secondary email set up, doesn't the service send this notification to that email address, too?