Important PSA coming your way: If you got a mystery invite to collaborate on a Google Doc, you were probably the victim of a phishing attempt.
This scam was huge — big enough that it transcended the tech news circle and was being reported by mainstream media outlets.
There’s good reason for that. The scam spread quickly, and was surprisingly convincing. This was no "a Nigerian prince wants a million dollars" that are so obvious the only person you have to warn is your grandma.
The word is out about it, but just because this phishing scam has passed doesn’t mean that there won’t be others. It’s important to know what you’re up against, what to do if you got hit by it, and how to protect yourself in the future.
What is the Google Docs phishing scam?
When you think of a nefarious third party getting your information, you probably think of someone typing away on a keyboard in a dark room, hacking the mainframe or something. Or some sort of suave, fast-talking conman.
The truth is usually a lot more mundane than that. Phishing is the practice of "obtain[ing] sensitive information such as usernames, passwords, and credit card details...by disguising as a trustworthy entity in an electronic communication." Basically, no one has to take your information – you give it over freely.
Remember the DNC hack last year? That came about when John Podesta clicked a link in an fraudulent email suggesting that he change his password, because someone was trying to access his Google account. I’m sure the irony wasn’t lost on him.
The Google Doc phishing scam took this to the next level. It’s a legitimate-looking email (as long as you didn’t look at the recipient, "email@example.com"), and clicking the included link takes the user to a legitimate-looking Google Docs page with a legitimate-looking URL. It asks for permission to "Read, send, delete, and manage your email," and to "Manage your contacts." If you give it that permission, it will start spamming your contact list to spread.
Because of how widespread this attack was, it was picked up early. We aren’t always so lucky; small scale attacks, and things like malware and other exploits, can go undetected in the wild for a while.The Google Docs phishing scam was bad, but all indications are that it could’ve been much worse.
What to do if you’re a victim
While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.
The Security Checkup allows you to see what devices and services are connected to your account. You can revoke access to Google Docs to purge your account of the scam. While you’re in there, make sure you have a connected phone number, and also have two-step verification set up. It won’t necessarily help in this situation, but it’s good practice.
It also doesn’t hurt to change your passwords. A common phishing tactic is to take control of an email account and trigger forgotten password emails, essentially handing over control of bank and retail accounts – you know, the ones with your credit card and bank information. If you use a password manager, it should be easy to change (and save!) all of your passwords quickly.
How to protect yourself online
The Google Docs phishing scam was the latest in a long line of schemes to take the personal information of internet users, but it certainly won’t be the last. You should go through the basics of good online security to protect yourself from the next scam.
- Don’t click suspicious links. Obvious, yes, but still important. This is especially important as emails themselves get more sophisticated and look more legitimate. If you get an unexpected email asking you to verify something or reset a password, don’t fall for it. Go to the alleged website (i.e., Amazon) and reset your password that way.
- Use a password manager. We’re big fans of password managers. There’s no shortage of choices out there such as OnePassword or LastPass. Password managers make it easy to change passwords, randomize passwords so they’re more secure, and remember passwords (because you aren’t the one who has to remember them!). There’s no excuse for short, unsafe duplicate passwords.
- Use two-factor authentication. Connect your phone to important accounts. If an unknown source tries to log in, you’ll get a notification or temporary passcode sent to your phone to proceed. It’s a simple way to cut off anyone trying to access your accounts right away.