The Google Docs Phishing Scam – and why it’s so dangerous

Jun 5, 2017
Vote on Hacker News

Online phishing scams usually have a certain type of victim. The elderly, the young, the technologically inexperienced. These types of people, through no real fault of their own, do not have the experience or training on how to spot phishing scams online – commonly becoming the latest casualties in scams that have been repeated for decades. Millennials, the technologically adept, and the professional are the three types of people generally quite resistant to online phishing scams. They fall victim now and again and do make up some of the statistics, but are far less likely than other demographics. Those who grew up in the age of the internet know all too well how to spot and avoid common phishing scams and many professionals even take courses in this subject.

This is why a recent scam has gathered so much attention. People’s ears began to prick when they heard that a phishing scam was tearing across the internet and that most of its targets by a significant amount were professionals and young people – the very people who should be hardest to target. Entire companies were falling victim. Not ones that you’d expect, either. These were not mechanics or farms whose online presence is just part of their overall business but media companies and online marketing specialists. Companies who live and breathe the online world. Companies who should know better. For example, around 2,500 employees of the state of Minnesota in the United States received this e-mail. Very few fell victim, but still enough to cost the state around $90,000. This cost was mainly due to lost time rather than damage – but it is still $90,000 better used elsewhere. Fortunately, the state of Minnesota rarely uses cloud documents (most government agencies are lucky to even use tech from the same century as the rest of us), so the damage could have been far worse.

The reason for this target audience becomes quite clear when you understand the hows and whys of this scam. Essentially, the target receives an email stating that someone has added them to the authorized users of a Google Doc, and invites them to click a link to view it. This takes you to your account screen where you can see all the Google accounts you’re logged in to. You pick which one you want to view the document with and then a service called Google Docs requests permission to access your details. All of your details. This is not Google. This is a phishing scammer.

The Google Docs Phishing Scam did not use keyloggers, trojans, viruses, fake websites or threats to accomplish its goals. It pretended to be a regular part of the user’s routine. The professional, the millennial who uses the cloud for study or work, or the technologically adept person who might use Google Docs to store data would not have blinked twice at being invited to make an edit. This is especially true of companies that regularly operate in the online sphere. Heck, as a Tech Freelancer myself, I get random unsolicited Google Docs requests all the time that are usually followed up by an e-mail from someone asking if I can take a look, see if I can help them and give them an estimate on cost. I would have fallen hook, line and sinker for this scam if it had targeted me. Fortunately, thus far I have been lucky.

So now that we know what is going on – what is being done? Google itself has stated that it is reacting to this phishing scam and that they have “disabled offending accounts” and “removed the fake pages, [and] pushed updates through Safe Browsing.” They also said in a statement that their “abuse team is working to prevent this kind of spoofing from happening again.”

Even more important, what do YOU do now that we know what is going on? To help protect yourself, use the Password Alert feature to alert you if your details are detected being used on anything other than Google’s services. Also, before clicking a link in any email, have a look around for anything suspicious. Look at the email address it is coming from carefully. Is it support@paypal.com or is it support@paypal.wb3.com? Check for spelling mistakes that wouldn’t be there on official company marketing or support copy. Be careful of urgent or threatening language, and if in doubt contact the actual company yourself to confirm that this is legitimate.

If you think you may have been a victim of this scam already, make sure to go to the Permissions page of your Google account, revoke access to the service “Google Docs” and then change your password.

This scam continues to claim victims from all over the world, with college students and professionals receiving a large quantity of the e-mails in question. Like always, make sure to stay vigilant and give every suspicious e-mail the scrutiny it deserves. This way you can avoid this latest scam and the other copycat ones that will no doubt follow it.

Remember – the best cyber security tool is common sense!