Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts.  They are using fake alerts to lure their victims into giving up verification codes.

The scam works like this.  First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity.  However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code.  All of this seems perfectly normal as the pages look just like the real thing.

Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password.  Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.

How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.