<< It was sent with a layout that looked very official, and it even had an actual event from my calendar listed in the information (grayed out in the screenshot in the top right). Now this one was a bit more peculiar, because who else but Google would know my private calendar events? >>
That information is displayed by Google so you can make an informed decision.
<< It got my name right... might be just luck, as my name is included in my mail address. >>
The name is also displayed by Google when you send invitations using Google Calendar. This is the standard format of an invitation from GCal:
[Invitation] Event Name @ Event Date (Event Sender)
And the invitation includes:
<Your Name>, you are invited to
<Event Name>
<Event Date>
<Event Location>
Calendar: <Calendar Name>
<Event Details>
More event detailsĀ»
Will you attend? |
[Edit: to clarify what happened, I added one sentence describing that I was then added to this event as guest which caused the event invite to be sent by Google.] |
I guess it's kind of related to this:
http://blogoscoped.com/archive/2008-03-27-n63.html |
There are a couple of minor typos/grammatical errors that set off my internal alarms. While it's always possible for someone at Google to make errors of that nature, phishers almost always do. |
<< a couple of minor typos/grammatical errors >>
There are a lot of things that should make you realize that the mail is not from Google.
* the mail is sent from *![[put at-character here]](image/at.gif) googlemail.com
* there's no Gmail customer care
* it's stupid to send a calendar invitation to verify an account
* Google has other ways to verify if you use an account
* Google wouldn't randomly close accounts
* Google wouldn't ask for your password
etc.
|
Philipp-the-carnivore wrote:
[...]
> BBQ at Susans place
Who's Susan? ;-))
(As for the so-called "Invitation".... the grammatical errors are a dead giveaway something's fishy here.) |
Nice to see that Google is aware (we hope that they are aware of!) via Gmail's anti-phishing feature. |
It always puzzles me when phishers spend so much time and ingenuity plotting their dastardly methods...
... and then fail to spell/grammar-check. What gives? |
So what are these typo's then exactly ?
(Yup, i am not American..) |
What is the phising here? How would they get your password if you accept the invitation? |
> What is the phising here? How would they get your
> password if you accept the invitation?
It is not meant to look like an invitation per se, I think – rather, the invitation approach is just a trick. What they actually expect you to do is hit the reply button and then fill out the user name and password (and more) in the reply, as text in the blanked fields. Ionut says "it's stupid to send a calendar invitation to verify an account" but the point is that users may not necessarily understand that it's an invitation in the first place if they do not read through all of the email: rather, they may skim over the email and read the "you are invited to VERIFY YOUR ACCOUNT" bit as just another way of saying "please verify your account" (not as in "approve this event").
Naturally, just skimming over an email and not checking it in detail should never be done if you provide a password, and in fact, you should not provide any password at all in an email reply or by hitting the link to a site through an email. But phishers don't phish for very security aware people, they fish for those who don't know about phishing... |
Thank you for sending a warning for all who use Google. Very thoughtful and considerate. You never know, in a weak moment, when you might answer such a request. There is a certain amount of natural curiosity in all of us.
Thanks again. |
