Google Docs Phishing Scam: What You Need to Know

How to avoid falling prey to fake emails and apps seeking confidential info

Phishing key on keyboard. iStock-502758397

A sophisticated new phishing campaign uncovered yesterday serves as yet another reminder for consumers to be careful what they click on.

Reports of the Google Docs phishing scam, which used emails to trick people into revealing confidential information by opening a fake Google document, were trending on social media Wednesday afternoon. In a statement released later in the day, Google said it had been able to stop the campaign, which reportedly affected less than 0.1 percent of its users, within about an hour.

Google confirmed that victims' contact lists were accessed and used by the hackers, but said no other data was exposed. The company responded with security updates. No further action is required by its users, Google stated.

While the attack added a new twist to phishing, this kind of scam has been around for many years. Here’s a look at how phishing works and what you can do to protect yourself.

What Exactly Is Phishing?

Phishing emails often masquerade as legitimate communications from, say, a bank, a human resources department, or an email provider. In reality, they’re part of a scam designed to gain access to a computer network or steal the personal information stored in your home computer.

Spear phishing adds an extra layer of customization. Instead of sending a generic spam email to millions of people, the attacker uses personal details to craft a message targeted right at you, making it much harder to spot the fraud.

Social media accounts that blast your personal information to the world give hackers plenty of fodder to work with. For example, an email that appears to come from the bank you "like" on Facebook may not immediately arouse suspicion.

So, if you didn’t already have a reason to restrict your social media accounts to just your real-life friends, you do now.

How Did the Google Docs Attack Work?

According to research done by Talos, the threat intelligence division at the computer network firm Cisco, the emails in yesterday's attack appeared to be authored by a real contact from each victim's address book.

The email invited the victims to open a Google Doc and, once that happened, they were asked to authorize a “Google Docs” application. This fake app put a new twist on the traditional phishing scheme, says Lance Cottrell, chief scientist at the cybersecurity firm Ntrepid.

Instead of directing victims to a fake website or a malware-filled attachment, it asked them, through the actual Google authentication process, for a handful of permissions, including total access to their Gmail accounts.

“There’s almost nothing technical about this,” says Cottrell, who was one of the many people to receive the fake Google Docs invitation. “They just built an app that looks like Google Docs."

The user experience was remarkably similar to the real thing, too. When victims agreed to the request, the hackers could read, delete, and send emails that appeared to be coming directly from the victim's account. They also got access to all of the contacts in the victim’s account. In fact, the hackers then used the accounts to send even more emails out to those contacts.

The scam worked much the same way as the fake apps that once plagued the app stores of Google and Apple, says Cottrell, except that those scams used permission requests to steal information from smartphones.

“Using multi-factor authentication and the best password in the world doesn't help," he adds, "because you’re logged into Google and you’ve given [the hacker] permission to use your account.”

If you fell victim to the phishing attack, you don't need to do anything with your Google account, including changing your password. Google has purged the fake applications and other malicious content from its system.

But there's nothing you can do about the fact that your contact list is now in the hands of hackers. People and businesses on that list are more likely to be hit by spam and future phishing attacks.

How Can I Protect Myself From Phishing?

Limor Kessem, executive security adviser for IBM Security, says you need to be wary of all emails. If you are not expecting one with a file or a link in it, don't click on it—even if it comes from someone you know. “If you're not sure if someone sent you a file or link," she explained by email, "pick up the phone and ask, especially at work.”

Kessem also encourages people to take a good look at sender names. If the domain has typos in it or looks bogus, report it to the company it's likely imitating. Placing your cursor over hypertext links in emails will show you where the URL leads. If the URL looks phishy, it probably is.

If you're invited to check your bank or credit card account information, type the web address into your browser, she says, instead of clicking on an email link. And if you happen to click on a bad link and end up on a malicious website, don’t enter any personal information. Close your browser immediately and report the email to the company that has been misrepresented.

And always make a point of creating good passwords for your accounts, changing them frequently and setting up multi-factor authentication.

What Do I Watch Out for Now?

Cottrell warns that a slew of copycat scams may soon surface. And, he says, since this sort of scam could easily compromise social media platforms, people should be wary about granting third-party apps permission to access their Facebook and Twitter accounts.

That includes those popular Facebook quizzes that ask for access to “friends,” then go on to ask those friends personal questions that reveal their ideal Star Wars name, Starbucks order, or career choice. The answers could be used for marketing, but also for cracking account passwords.

It’s up to consumers to be on their toes.

“When an app or a quiz says, ‘I want to do this with your information,’" Cottrell says, "you need to pause and think, ‘Do I really want to give access?’”

How to Avoid Online Scams

Do you know how to protect yourself from online threats? On the "Consumer 101" TV show, host Jack Rico and Consumer Reports' digital privacy expert Thomas Germain play a quiz game to reveal important steps you can take to keep your personal information safe.

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).