Researchers recently discovered a scam using Google Workspace comments to bait its targets. In just two weeks attackers were able to trap almost 1,000 businesses. In other words, seventy businesses were targeted each day. Using a tactic known as business email compromise (BEC), the attackers use legitimate Google services within Google Workspace documents to redirect targets to a fake cryptocurrency site.
The attack begins with bad actors creating a free Google account. Using their Google account, the attackers then create a Google sheet and mention their intended target in a comment. The target receives an email notification, as shown in the example below. If the target clicks the link, they are re-directed to a fake cryptocurrency page. There are several types of fake cryptocurrency pages the scammers use; from typical phishing sites that steal credentials to cryptocurrency mining.
Image: Avann
The rising surge in BEC fraud and crypto scams
The Google workspace crypto scam is just one example of the rising surge in BEC fraud and crypto scams. Consider the following statistics:
- Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily.
- The FBI’s 2022 Internet Crime Report states that losses from cryptocurrency investment fraud rose from $907 million in 2021 to $2.57 billion in 2022.
Don’t let your company be the next victim. Ongoing employee testing and education is essential if you are to protect your organization from these scams.
Test. Educate. Protect – Social Engineer’s Managed Phishing Service
The use of malicious social engineering is at the core of the Google workspace scam. It’s an example of how threats to information security focus their attacks on company employees.
As the experts in social engineering, we designed our security awareness managed services to test, educate, and protect your human network from Vishing Phishing, SMiShing and Impersonation attacks. Our Managed Phishing Service ethically tests your employees using real-world scenarios. We identify at-risk user groups as employees demonstrate their ability to recognize and report fraudulent emails. Don’t wait until it’s too late; contact us today for a quote.
