Google's top fraud fighter explains why it's risky to brag about owning bitcoin

Key Points
  • A Google executive who oversees email fraud, abuse and identity issues says people need to rethink the contemporary threats to their email accounts.
  • Bragging about owning a lot of bitcoin on a public message board can make you a target.
  • Scammers today often research potential victims before approaching them, using info from social media and other sources.
Google's email security lead Mark Risher talks about how people can update their thinking about email scams. 

Google's head fraud-fighter wants you to know you might be a much more valuable target than you think.

Scammers target people regardless of how prominent they are, said Mark Risher, who oversees the company's initiatives to protect Gmail and other Google properties against cyberattacks.

"It could just be a case of mistaken identity or guilt by association. They could be using someone who seems to be low value to pivot toward somebody considered a higher value target, like somebody political in nature," he told CNBC. "Or maybe they saw that you were discussing Bitcoin on a public message board."

In any of these scenarios, attackers can use your social profile or email account to fish out valuable information, or break into your email account to do a password reset on your valuable financial accounts or cryptocurrency wallets.

Here's some of what Risher warned us about.

The risks of bragging about your bitcoin

Risher said there has been uptick in attacks against people who hold cryptocurrencies in digital wallets. These attacks can often be traced back to a post by the victim on a public message board, which is then quickly followed by criminal attempts on their email accounts.

The reason is simple: Some cryptocurrency wallet providers allow users to reset their access to the wallet through email. Attackers can then use the email reset to open the wallet and steal cryptocurrency.

Scam messages have gotten personal

It's a mistake to associate decades-old email scams — like the once-prolific "Nigerian Prince" scam — with today's criminals, he said. The newer crop of email attacks often come across as indistinguishable from personal messages you could receive from friends or family.

"You might think of this generic 'Dear Sir or Madam, I am contacting you to ask you for a favor,' but the truth is many of these attackers have done some serious research on their victims," he said. "So you might get what we call 'social truth' in your message."

Finding this "social truth" — personal details about your life that make a scam message seem authentic — is getting easier as the amount of data we share grows. People tend to contribute to this growth by creating then forgetting about email addresses, message board posts and social media accounts. Information seldom disappears from the internet, even if we forget about it.

"Our data is all over the place," he said.

One degree of separation

Criminals are also becoming much better at gaining access to "high-value targets," like executives at prominent businesses or political figures, by taking a circuitous route through people who work with them or are loosely connected to them. If you've ever volunteered for a political campaign, gone to a dinner party hosted by a CEO or worked for a well-known technology company, that person could be you.

Criminals have also shown they can wend their way into anyone's email account by going through a chain of password resets through a long-forgotten account.

For email threats like these, which are often more persistent and backed by nation-states, Google sends an alert to customers that government-based hackers may be trying to steal their password. Risher said it matters because people who are aware that they may be on the wrong end of a particularly effective and powerful type of attack may take additional security steps if they have that information.

Other tips, Risher said, include making note of all the email addresses associated with your financial accounts and being mindful of the security associated with those addresses, and limiting the amount of information you share through social media networks.

Google has been rolling out several security measures for security-minded Gmail users, including the Advanced Protection Program, which requires the use of third-party physical security keys — a solution Google has said significantly cut down on email scams internally. The company is also launching a USB-based security key called Titan for consumers.

Google's new security key will protect you from phishing attacks
Google's new security key will protect you from phishing attacks