A massive Google Docs phishing scam spread like wildfire through the internet earlier today via Gmail. The scam was deceptively stealthy and could have affected even the more wary of users. Although Google has stopped this specific attack, there’s no telling how many copycats might spring from this admittedly successful scam.
Here’s what you need to know so you don’t fall for the same trick.
If you’re unfamiliar with the phishing scam, you can check out this detailed post of the scam by Reddit user JakeSteam. Jake himself admitted that he too almost fell for it because of how undetectable the scam was.
Here’s what happened:
1. Users would receive a reasonably legit email (although it’s fake) that a Google Docs document was shared with them.
2. Clicking on the link would bring users to the real Google account selection page (if you have multiple Google accounts) and prompt users to pick an account they’d like to access the Doc with.
3. When you choose an account, a popup would appear requiring users to grant “Google Docs” (it’s actually a malicious third-party app masquerading as Google Docs) permission to access key aspects of your account.
4. If you grant the app permission then it would be able to read all your emails and spread this same phishing email to all your contacts.
The reason why it is so dangerous is that the link you click on actually works within Google’s system. That means, when you check the URL, you will find that it’s deceptively Google-based, luring you into a false sense of security. Because of how well everything is hidden, the only way to really double check is to look at the developer information on the permissions selection screen, as Twitter user @zachlatta details:
— Zach Latta (@zachlatta) May 3, 2017
Besides that, there’s one other tell too: Google Docs doesn’t require permission to access your contacts or manage your emails. In fact, it doesn’t require any permissions to work at all. I use Google Docs all the time and I haven’t granted it any permissions yet.
Looking back on this, you would probably be thinking, “Why did these people open a shared Google Docs link they didn’t ask for?”, and you’d be right to wonder that. But, especially in phishing scams, hindsight is 20/20. In the moment, especially when you’re not super prepared for it, a momentary lapse in judgement is all you need to fall for a scam.
With that in mind, this can be a good teaching moment. You should always be wary of emails, and in this case shared documents, when you receive them. If it’s an email you didn’t ask for from someone you don’t know, it’s probably not a good idea to click on any links in it.
And, if you’ve received a shared Google Doc that you didn’t ask for from someone — even if it’s someone you know — it’s always better to double check with the sender and find out if they really sent it in the first place. In other words, always be suspicious.
In light of this recent scam, we have to give credit where credit is due too: Google’s response to shutting this down was definitely speedy. Within an hour of them detecting this problem, the search engine giant was able to shut down the entire campaign, push updates security updates and resolve the entire issue.
Google estimates the number of affected people to just 0.1% of all Gmail users (though, The Next Web has pointed out that it’s still about 1 million users) and that no other data was exposed. Google also said that affected users do not need to take any further action. Here’s their official statement:
We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.
Gmail has also received a new anti-phishing security update which will warn users of suspicious links in an email message. Whether this is related to this phishing scam or not is unknown. Either way, this update will roll out over the next three days.