Scam alert
  • A new Google Photo sharing scam is the latest attempt to steal your credentials to hack and access your accounts.
  • You receive a message claiming to be from Google Photo that says someone is sharing a photo album with you. You’re asked to log into your account, except the message isn’t real, and the criminals take off with your Google credentials.
  • If you receive a message you are not expecting or from someone you don’t know, don’t click on any link in the message.
  • If you want to learn more about the Google Photo sharing scam or if you are a victim, contact the Identity Theft Resource Center toll-free at 888.400.5530 or by live-chat. Just visit www.idtheftcenter.org to get started.

Scammers always try to find different ways to attack consumers. One new attempt is through a text or email that appears to come from Google Photo. The Identity Theft Resource Center (ITRC) recently received a suspicious message that appeared to be a legitimate attempt to share a Google Photo album. However, it was actually a phishing scam.

Like many phishing attacks, the Google Photo sharing scam is an attempt to steal your credentials. The tactic has become more common with cybercriminals shifting away from attacks seeking consumer information and towards attacks that target logins and passwords. 

Who is the Target?

Text message users; email users

What is the Scam?

You receive what appears to be a real attempt to share a Google Photo album. The message claims that someone has shared a photo album with you. However, there is no photo album. Once you click the “View Photo” link, you are prompted to another website to log into your Google account. Since the website captures the login information, you then provide the identity thieves with access to your credentials and account.

What They Want

It’s always easier to steal something when you have the key to a lock instead of having to break into where valuables are kept. Identity criminals want to access personal and work accounts because that’s easier and faster than trying to break into a system. The Google Photo sharing scam is a way for identity criminals to get the credentials needed to access and steal personal and company information. According to the FBI, email compromises cost U.S. businesses $1.8 billion, and phishing schemes cost individuals $54 million in 2020.

How to Avoid Being Scammed

  • Never click on a link in a suspicious or unexpected message. While the message might look legitimate, the links and attachments could still have malware. Instead, if the message comes from a “company,” reach out to the company directly to verify whether the message is real. If it comes from an unknown person, delete the message without clicking any links.
  • Check the URL link and be on the lookout for short links. Sometimes, there are signs in the link that give away it is a scam. For example, a link address might read “Goo.gle” instead of “Google.” You are more likely to see that when a link is shortened, a favorite tactic of cybercriminals. Another tactic is typing out a hyperlinked text to what looks like a legitimate website (like Google.com). However, it actually displays an unknown site when you hover over the link.
  • Use Multifactor Authentication (MFA) on important accounts. Even trained cybersecurity professionals fall for sophisticated phishing attempts that look real. That’s why it’s important to use MFA on any account that offers the feature. Use an authenticator app when possible – Microsoft and Google offer them for free – because they are more secure than just having a code texted to your mobile device. With MFA in place, having your login and password won’t help a criminal access your protected accounts.
  • Never reuse or share passwords. Criminals steal logins and passwords because they know most people use the same password on multiple accounts. Too many people also use the same passwords at home and work. Make sure each account has a unique password that is at least 12 characters long.

If you believe you are a victim of a Google Photo sharing scam or would like to learn more, contact the ITRC toll-free. You can call (888.400.5530) or use the live-chat function on the company website. Just go to www.idtheftcenter.org to get started.