Update 5/4 - 8:15 a.m.:
Google will introduce a new anti-phishing tool for Gmail for Android. Scroll down to the "Protect Yourself" section for details.
There have been quite a few scary Google account phishing scams lately. One looked so authentic that even tech-savvy users are falling for it.
It looks like cybercriminals are getting more and more elaborate and sophisticated with their tactics and we shouldn't let our guard down at any time.
Take this fresh campaign discovered Wednesday, for example, it has the potential to be a widespread menace!
Google Docs Phishing Campaign
Another major phishing scam in Google Docs is currently making its rounds and is spreading fast. The scary part is that it can appear to be coming from someone you know.
Eagle-eyed Twitter and Reddit users first spotted the spam messages and they appear to have originated from an email address curiously named "firstname.lastname@example.org."
Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX
— Zach Latta (@zachlatta) May 3, 2017
The dubious email reportedly gets sent to your inbox claiming that someone has sent a Google Doc to you, including people you may know. If you are not expecting any Google Docs from anyone, please don't click the "Open in Docs" link within the email!
One of our staff actually received this phishing email earlier today. This is what it looks like:
(If you're reading this on the Komando.com app, click here to view the images.)
The email looks legitimate but if you're used to Google Docs, you'll notice that it's a bit off. If you fall for it and click the link, you will be redirected to a fake Google login screen that even has a cleverly forged Google.com URL.
The fake page will then ask you which Google account you will want to use to access the Google Doc and it will take you to another page that grants it access to your selected account.
Once access is granted, the phishing email will then be sent to everyone in your Google's address book, with you as the sender! The chain then continues if anyone in your address book falls for the scam. Rinse and repeat - this is the reason why the campaign is spreading fast.
As Buzzfeed's Joe Bernstein explains:
I got a Google Doc invite from a BuzzFeed email address, clicked on it, and it spammed everyone I’ve ever emailed
— Joe Bernstein (@Bernstein) May 3, 2017
So again, if you receive any Google Doc invite that you are not expecting, please don't click the "Open in Docs" link, even if it's from someone you trust. Even then, if you are actually expecting a Google Doc, please scrutinize the corresponding email carefully.
It's not clear what the perpetrator's motive is but Google has already acknowledged the phishing attack and their team has investigated and resolved the related issue with Google Drive. They appear to have shut down the campaign within an hour.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.
— Gmail (@gmail) May 3, 2017
If you have received said phishing email and clicked the "Open in Docs" button and granted the malicious app access to your Google account, go to your Google account's permission page and check if an app called "Google Docs" has access.
If so, select it and click its "REMOVE" button immediately. "Google Docs" is actually the malicious app and it is not a legitimate Google service.
Thankfully, it has been reported that changing your Google account password is not necessary. But of course, if you clicked the phishing link, changing it is still a good idea.
Update 5/4 - 8:15 a.m.:
In a G Suite blog post, Google announced a new anti-phishing check in Gmail on Android. With this feature, whenever a suspicious link is clicked, a warning prompt alerts the user of potential danger.
We're expecting this new security feature to roll out to Android users soon.
How to defend against phishing scams:
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.
- Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software - Having strong protection on your family's gadgets is very important. The best defense against digital threats is strong security software.