A new YouTube phishing campaign is making rounds in the wild, urging users to read and accept so-called changes in YouTube’s rules and policies. What’s scary is that it abuses YouTube’s authentic email address to lure users into providing their credentials.
What’s the new scam?
YouTube has published a warning, stating that several users have raised complaints about this ongoing phishing campaign.
- The emails inform users about some updates in YouTube’s new monetization policy and some new rules that users should agree with to continue with the service.
- To inculcate a sense of urgency, they are asked to review and accept the new rules within seven days.
- Along with the message, the emails contain a YouTube video and a link to Google Drive, which when clicked, ask targets to provide their YouTube credentials.
- The phishing emails appear to be sent using no-reply@youtube[.]com, an authentic YouTube account, thus, adding more legitimacy to the scam.
Abuse of authentic email ID
- A tech researcher alerted YouTube about this scam via a tweet, sharing the details of the email he received. He stated that the emails were not spoofed, and were sent via YouTube’s authentic email ID.
- The scammers are apparently abusing YouTube’s Share Video by Email feature, which allows users to share their private videos via YouTube’s official email notification channel.
The scam uses the official email address to lure victims, however, comprises several telltale signs hinting about the scam.
- The language used in the email is quite imperfect, with several random words, such as Getting Monetization money earned.
- The format of the email is distorted, with no proper bullets in lists and no spacing between different paragraphs and sections.
- Moreover, the seven-day deadline is a usual tactic used by several scammers to create a sense of urgency.
Abuse of popular platforms and services is not new, and this scam stands as another reminder that trusted social media platforms are a popular playground for scammers. To stay protected, experts recommend users be vigilant when providing any sensitive information, specifically credentials. Double-check the authenticity of any email or link by scanning them with genuine security software and avoid engaging with any suspicious-looking alerts, claims, and offers that have an undue sense of urgency.