Heads Up, Gmail Users Need to Do This Now!

 

Just when you think you've got a handle on online security, something else will appear on your feed. This time, it's a new Gmail attack that's got everyone talking. Google has confirmed a new attack that uses weaknesses in their system along with clever scams. 

This latest attack first surfaced on X and in the crypto circles, which makes sense since the initial victim was none other than an Ethereum developer, Nick Johnson. He described it as an "extremely sophisticated phishing attack" that "exploits a vulnerability in Google’s infrastructure." What's even more concerning is his warning that because Google hasn't fixed it yet, we're likely to see a lot more of this.

The attack itself is disturbingly clever. It starts with an email that looks completely legitimate, coming from a genuine Google address. Johnson pointed out that it was sent from no-reply@google.com, passed all the security checks, and Gmail happily placed it right alongside his other real security alerts.

Even if you have two-step verification (where you get a code on your phone), it's not enough anymore, especially if those codes come by text message. It's too easy for these attackers to steal your password and those text message codes.

The scary part is how they pulled this off. Apparently, these attackers found a way to send a correctly formatted Google email to themselves from Google. They can then forward copies, and because it retains that original legitimate signature, it looks the real deal. But the end goal is the same old trick: a fake login page designed to steal your credentials.

Thankfully, Google has acknowledged this. They've said they're "aware of this class of targeted attack" and have been rolling out protections over the past week, promising a full deployment soon to shut down this method of abuse. In the meantime, their advice is blunt: get on two-factor authentication and, even better, start using passkeys. They emphasize that these offer much stronger defense against these kinds of phishing attempts.

What really helps? Passkeys. These are like digital keys linked to your phone or computer. To log in, you need to unlock your device – so if an attacker doesn't have your phone, they can't get in, even if they have your password. Google isn't getting rid of passwords completely yet, but you should stop using them to log in.

These smart attacks, and the ones we've seen lately, can be stopped if you update your security. And with AI getting better, these kinds of attacks will become much more common. Microsoft even warned that AI is making it easier for criminals to create believable scams.

You can find out how to add a passkey to your Google account – you should do it today.

The news is full of this latest Gmail problem, but the main point is simple: Google will never email you out of the blue about security issues or ask you to do something to stay safe. Also, if you follow their security advice, your account will be much safer.

Set up passkeys now if you haven't. And remember, just like with bank scams, if someone contacts you pretending to be Google and asking you to do something, it's a scam. It's a constant fight, and it's getting tougher. Google's old advice to just use two-step verification isn't good enough anymore, especially if it's just text messages.

Don't just rely on two-step verification, especially not text messages. There are other security keys you can use, but passkeys are the easiest. If you use Gmail, all three billion of you should set up passkeys now. Google is moving away from text message codes, and you should too. In your account settings, turn on an authenticator app or Google prompts on your other devices as well – and definitely use a passkey.

If you have strong security like this, you don't have to worry as much about how clever the attacks are. But you need to stop typing in your password to log in, and make sure your two-step verification is stronger than just text messages. Google and others still let you use passwords as a backup, even with passkeys, and that's a weak spot.

Think about it: if someone gets into your email, they can probably get into everything else linked to it, like your bank or social media. They can ask for password resets and see security alerts.

You've been warned. Do this now to protect yourself.

Thinking of Moving from OneDrive to Google Drive?

 

Thinking about switching from OneDrive to Google Drive? Now's the perfect time. Google's powerful migration tool is generally available, and with the added customization features, moving your business data is smoother than ever. Interlock IT, a proud Microsoft and Google Partner, is ready to guide you through the process.

Why Choose Google Drive?

Many businesses are making the switch to Google Drive for its powerful collaboration tools, seamless integration with the Google Workspace ecosystem, and enhanced security features. If you're looking to boost team productivity and streamline your workflow, Google Drive is a compelling option.

Google's Enhanced Migration Tool: Easier Than Ever

Google's migration tool is now generally available, giving admins the power to move files for up to 100 users simultaneously while preserving crucial file sharing permissions. And with the latest updates, you get even finer control:

• Migrate only the files you need by specifying a date range.

• Exclude unwanted file types and large files to streamline the migration.

• Let Google automatically match users between OneDrive and Google Drive (no manual mapping needed) meaning save time and effort by letting Google automatically map users.

Interlock IT: Your Migration Partner

Migrating your business data can be a complex undertaking. Interlock IT, as both a Microsoft and Google Partner, simplifies the process. We offer:

• Personalized Planning: We'll work closely with you to understand your unique needs and develop a tailored migration strategy.

• Expert Execution: Our team will handle the technical aspects of the migration, ensuring a smooth and efficient data transfer.

• Minimized Downtime: We'll work to minimize any disruption to your business operations during the migration.

• Ongoing Support: We'll be there to support you after the migration, answering your questions and helping you maximize the benefits of Google Drive.

Ready to Make the Switch?

If you're a business considering a move from OneDrive to Google Drive, Interlock IT is here to help. Contact us today for a free consultation. We'll help you navigate the migration process and ensure a successful transition to Google Workspace. Let us help you unlock the full potential of Google Drive and drive your business forward.

Secret Weapon Against Phishing? This Simple Email Check Could Save You!

The recent news about Ethereum developer Nick Johnson being targeted by a sophisticated phishing attack serves as an important reminder of the ongoing threats we face online. Johnson, the lead developer of the Ethereum Name Service (ENS), fell victim to a cleverly designed email that bypassed Gmail's security filters.

The attack utilized a "DKIM replay" technique, making the malicious email appear to be a genuine security alert from Google. The email, which claimed a subpoena had been issued for Johnson's Google account, used a spoofed "no-reply@google.com" address and even passed the DKIM signature check, causing it to be grouped with legitimate Google security notifications.

Image Source: https://x.com/nicksdjohnson/status/1912439023982834120

The email urged immediate action via a link to "Review Activity," which led to a fake Google support portal hosted on a legitimate Google subdomain (sites.google.com). This added to the deception, as the URL appeared trustworthy at first glance. The attackers exploited a vulnerability in Google's OAuth system to create this convincing fake communication.

This incident highlights the increasing sophistication of phishing attacks, which are now leveraging legitimate infrastructure and authentication methods, making them harder to detect.

Understanding How to Spot Phishing Emails

While these attacks can be sophisticated, there are still key indicators that can help you identify a potential phishing scam:

• Sense of Urgency: Phishing emails often try to create a feeling of urgency, pressuring you to act quickly without careful consideration. Be wary of phrases like "Immediate Action Required" or threats of account closure.
• Examine the Sender's Email Address: Don't just look at the name displayed. Hover your mouse over the sender's name to see the actual email address. Verify if the domain matches the legitimate organization. For example, emails from Google should typically end in @google.com.
• Inspect Links Before Clicking: Before clicking any links, hover your mouse over them to see the actual URL. Check if it matches the expected website address and look for any unusual characters or misspellings. In Johnson's case, the link directed to sites.google.com instead of the primary accounts.google.com for account-related actions.
• Check the "Mailed by" and "Signed by" Information: This relates to email authentication protocols like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance), which help verify the sender's identity. Ideally, for a legitimate email that has passed these checks, the "mailed-by" and "signed-by" domains should be the same. If these domains are different or appear suspicious, it could be a sign of a phishing attempt. 

Image Source: https://x.com/nicksdjohnson/status/1912439027224944676

• Look for Grammatical Errors and Typos: While not always the case with sophisticated attacks, many phishing emails contain grammatical mistakes or typos. Legitimate organizations usually have professional standards for their communications.
• Be Cautious of Attachments: Avoid opening attachments from unknown or unexpected senders, as they may contain malicious software.
• Verify Through Official Channels: If you are ever unsure about the legitimacy of an email, do not respond to it or click any links. Instead, contact the organization directly through their official website or phone number to verify the communication.

The phishing attack on Nick Johnson underscores the importance of staying vigilant and informed about online security threats. By understanding the tactics used by cybercriminals and knowing how to identify potential phishing attempts, individuals can significantly reduce their risk of becoming a victim.

Conclusion

Having strong email security measures in place is more critical than ever. At Interlock IT, we understand these challenges and are committed to empowering you with the tools and knowledge to stay protected. That's why we offer comprehensive DMARC report analysis to help you understand and improve your email authentication setup, a crucial step in preventing email spoofing and enhancing your overall security posture. As a trusted Google Partner and Microsoft Silver Partner, we provide expert guidance and solutions tailored to your specific needs. Don't wait until it's too late – take proactive steps to secure your cybersecurity today.

Contact us today for more information.

Interlock IT's Insider Secrets to Outsmarting Big Bank Fees

At Interlock IT, we're always looking for ways to optimize our operations and save money. And as it turns out, one of the biggest drains on our resources was something many Canadian businesses face: exorbitant banking fees and poor exchange rates, especially when dealing with US dollars (USD). Our owner, a seasoned CPA, was tired of seeing hard-earned money disappear into the pockets of big banks. So, we made it our mission to find and implement the most efficient, cost-saving Canadian payment and banking solutions.. And we’re here to share our story, because we believe everyone deserves to keep more of their money.

The Hidden Costs of Traditional Banking

Let’s face it, traditional banks can be costly. We noticed this firsthand when converting USD to Canadian dollars. For example, when we needed to convert $8,514.23 USD, the amount we received from our regular bank was noticeably less than what we could get elsewhere. We found that we were losing money due to hidden fees and less-than-ideal exchange rates. It felt like we were paying for convenience, and not getting much in return.

Testing Canadian Payment and Banking solutions

We decided to explore alternatives, and what we found was eye-opening. Here's what we did:

• Wise: For currency conversions, Wise became our go-to. It offers transparent fees and much better exchange rates. We saved a significant amount on every USD to CAD conversion.
  
  
• Venn: For Canadian dollar and USD electronic payments, Venn is our top choice. Their fees for EFT payments within Canada are much lower than Wise's, and they offer monthly plans with unlimited local payments. It's more cost-effective for electronic payments within Canada. We switched from Plooto to Venn because of the cost savings. 
  
  
• EQ Bank: We moved our primary banking to EQ Bank. It’s a completely digital bank with no monthly or transaction fees, and it pays us 3% interest on our operating funds. That’s a huge win compared to the zero interest and fees at RBC and other traditional banks.
  
  
• Wealthsimple: An alternative to EQ Bank for 2.75% interest on business savings accounts but with the added option of investing in their managed stock portfolios. Self directed investment accounts are coming soon.
  
  
• RBC: We still maintain an account with RBC for legacy reasons, to receive payments from long-term customers who have been using it for 15 years. However, we transfer our RBC receipts daily to EQ bank to earn that 3% interest.

Why This Matters to You:

You might be thinking, "What does this have to do with me?" Well, the same principles apply to everyone. Whether you're a business owner or just managing your personal finances, you can benefit from:

• Saving money: By using platforms like Wise, you can get better exchange rates and avoid hidden fees.
• Earning more: Digital banks like EQ Bank offer higher interest rates, allowing your money to work harder for you.

Our Experience is Your Benefit

At Interlock IT, we've seen firsthand how these changes can make a real difference. We’re not just talking about saving a few dollars; we’re talking about significant savings that add up over time.

Want to Try It Yourself?

We’re so happy with these services that we’re sharing our referral links. We’re sharing these links because we truly believe these platforms are beneficial. 

• Wise: https://wise.com/invite/dic/blairc78 (Use this link to save on your first transfer, and we'll receive a small bonus.)
• Venn: https://app.venn.ca/signup?referral=4h38zhwc&utm_source=app&utm_campaign=referral
• EQ Bank: https://join.eqbank.ca/referral;code=SBLAIR6182
• Wealthsimple: www.wealthsimple.com/invite/RDEZHG

We want to be clear that these referral fees are not our main motivation. Our primary goal is to share useful insights. If our guidance has proven valuable to you, we see no reason to decline them.

Key Takeaways:

• Don’t settle for high bank fees and poor exchange rates.
• Explore other banking tools to save money and simplify your finances.
• Every little bit of savings adds up.