Email users are being warned to watch out for a new phishing email scam – this time, the fake email is purportedly from Google Photos. For victims, it could cost them big time.
This Google Photos scam email has it all – false pretences, a fake giveaway of an item worth thousands, and playing on real fears about how your personal media could be used by a tech giant.
It only takes a momentary lapse in judgement to fall for a phishing email scam. We explain what to watch out for with this one, plus how to stay ahead of scammers and phishing threats.
Stay protected against phishing scams and more with our guide to the Best Antivirus Software
Google Photos Email Scam – How it Works and How to Spot it
Upon first glance, this email may look reasonably authentic. The logo looks real, the email sender has the name “Google Photos Service,” and there are on-brand buttons for installing the Google Photos app from the Google Play or Apple App stores.
All of which may make it seem pretty alarming as you read that Google has apparently chosen one of your photos to appear in a poster.
Is that something that would even happen? In legalese, it's actually not all that far-fetched. Sign up to Google services, including Photos, and you sign over the right to the company to use your content that you upload. Here's a clause from Google's real terms and conditions that sounds pretty alarming:
“This license allows Google to… publish, publicly perform, or publicly display your content, if you’ve made it visible to others”
So, scam or no scam, could Google legally reproduce one of your photos on a poster for its services? While it's possible, it's highly unlikely this is what Google is seeking to do with these terms. Right to publish, perform, or publicly display actually covers actions such as showing your content in shared destinations (that you have opted to make shareable) – this could be as simple as a video on YouTube, or a photo you've added to a Google review for a restaurant.
So that's real Google, but back to the scam email imitating Google.
How to spot it's a scam email:
- It may claim to come from Google, but the true email address has a different domain
- There's a typo (“choose” rather than “chose” or “have chosen”)
- There's no attempt to address you by name as a user, suggesting it's been sent out to thousands of recipients
- The actions you're suggested to take are confusing – get more storage, download an app, or “View details” – all clicks lead to a scam site
What Happens if You Click on the Google Photos Scam?
If you're in any doubt about the authenticity of an email, please don't click on the links. If you're currently working from home while the COVID pandemic rages, your IT manager will be particularly grateful that you haven't put a company device (or servers) at risk by clicking on a sketchy link – a huge number of business security risks begin with users inadvertently clicking on a phishing link.
We clicked, so you don't have to – under controlled conditions. And once you click out of the Google Photos email, all pretence of this being anything to do with Google vanishes immediately. You're instead drawn into a different scam – this time, involving a farcically cheap iPhone 12 giveaway and a sense of urgency to make you hand over your payment details.
The scammers first try to keep victims clicking in order to warm them up further. Mystery boxes of potential prizes are shown – click on any of these, and you're taken to a page where you're told you can have the latest iPhone for mere pocket change – as long as you act immediately.
It's this sense of urgency that's used to lull victims into making a mistake – the message says:
“Important: As our prizes are in high demand, we may only reserve your prize for a maximum of 5 minutes. You will need to complete the prize submission form during this time otherwise your prize will be forfeited.”
None of this is true – there is no prize, let alone a stopwatch “determined by regulation” (regulated by who, exactly?). It's all to prompt hasty decisions and costly mistakes.
How costly? Get to the final screen, and you're encouraged to enter your name and card details. At this point, the scammer could withdraw any amount they choose.
Would anyone fall for such an obvious scam? Sadly, plenty do – it only takes a couple of victims to make this ruse profitable for scammers. And remember, you're unlikely to be individually targeted – scam emails get sent out to hundreds of thousands of recipients in the hope that just one hands over their personal details.
What should you do if you receive scam emails?
Scam emails haven't disappeared – if anything, the pandemic has made them worse. With so many of us working from home, even the best spam filters (from your company, or from Gmail and Outlook) can let a dangerous email pass through. What you do when you receive one matters most of all.
Delete the email
Don't worry if you've opened it – this isn't how viruses get downloaded to your device. But if you see something fishy, delete the email immediately.
Report the email
If you're using your work account, let your IT manager know. They'll thank you for this – it helps your IT team stay on top of latest risks and, if necessary, adjust your company's spam filtering. If you're using personal email, then use the Report/Flag button to help your webmail service improve its own spam detection.
You can even report a phishing email to the company that's being imitated. Google has a detailed guide on scams that impersonate its services.
“By focusing on providing the best user experience possible, Google has earned a trusted brand name. Unfortunately, unscrupulous people sometimes try to use the Google brand to scam and defraud others.” – Google scams guide
Don't click the links
Here's where things get very dangerous – don't click on the links. This is how ransomware and other malware variants can be installed onto your device. They can even affect your network security or shared cloud drives, in the worst circumstances. Ransomware costs companies a fortune, so don't take the risk. If you're in doubt, hover over the links (without clicking them) to reveal the true destination url in preview at the bottom of your browser – this will show you if the links lead to a genuine service.
Don't give your financial details
Never fill in your credit card, PayPal, or any other payment details after following prompts from an unexpected email. Similarly, don't fill in your user name and password – these can be lifted by a scammer.
Don't re-use the same passwords
If you're using the same password to log into multiple accounts, then it only takes one account to be compromised and they're all at risk. Password managers are a simple, low-cost and secure way to manage multiple logins. The best one we've tested is 1Password, which offers a free trial period. See all our password manager recommendations to learn more.