Google tackles sophisticated phishing scheme targeting Docs

The malicious scam became widespread yesterday

Yesterday was not a great day for big tech companies. WhatsApp faced a 2-hour outage and Google had to issue a warning to Google Docs users. This warning came after a sophisticated phishing attack was identified. 

The attack sends a Gmail user an emailed invitation from someone they may know. This user is then taken to a legitimate Google sign-in screen and asked to "Continue to Google Docs". By clicking through at this stage, the user has given permission to a malicious third party app to access their Gmail account. 

This is deemed to be a sophisticated scheme as it does not simply take users to a fake Google page to steal your password. It uses Google's infrastructure and simply abuses the fact that it is possible to create a web app with a misleading name. In this instance, the scammers use Google Docs. 

While Google now says it has resolved this issue, the company is still urging users to report any phishing emails they may receive. 

"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” Google said in a statement. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."

Stay Safe:

These systems are becoming more sophisticated but there are a few simple things you can do to ensure you and your data stay safe.

  • Look for urgency: If the email states urgent action is required to verify your details or process a refund, do not act. Chances are it’s a phishing expedition.
  • Company info: Many of these phishing attempts involve criminals posing as a well-known company or bank. Always check the sender’s email address. Look at any logos within the email and hover your mouse over any link within the email (don’t click on it); this may show a falsified website. If it doesn’t look legit, bin it.
  • Spelling: Watch out for appalling typos or sentences that just don’t make sense. We often scan emails rather than reading them fully so if you are suspicious, take a moment or two to read the entire email. If you spot something that dodgy, bin it.
  • Verify: If you are still unsure about the legitimacy of an email, call the provider and explain your situation. This may take a few minutes out of your day, but it’s better than losing money to a phishing scam.