Google announced today that they had recently uncovered a phishing campaign which had gotten password information from hundreds of Gmail users. According to Google, the campaign, which appeared to originate from Jinan, China, “affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
These were not random individuals, they were targeted and their passwords were used to access their accounts so that their email communications could be monitored, often by changing the forwarding settings to automatically forward a copy of all incoming emails to the perpetrator, or by delegating, which grants other users access to your account.
Phishing works by tricking users into revealing personal information like passwords or account numbers by sending the victims what often looks like official correspondence from a bank or other service provider. The emails ask the victims to enter their passwords or account numbers to verify their identity or some similar ruse. In this way, the perpetrators get the victims to voluntarily give up their sensitive information which they then use to access accounts or steal the victim’s identity.
Another common tactic is to direct victims to a fake website made to look like the website of the victim’s bank or other service provider, usually by instructing them to click on a link. When they victim enters their information to access their account, the perpetrator records it.
No bank or other legitimate company will ever send an email asking for information in this manner. Instead they will direct you to visit their official website where you can sign into your account in a secure fashion or call them. You should never reply to any email from a company asking for sensitive information. You should also never click on a link from an email asking for information in order to go to the company website. If you get an email from a bank or other vendor asking you to check your account, always type the address of their website into the address bar rather than clicking a link which could be taking you to a fake website.