Skip to Content
Malware spreading through Google Docs spear phishing attacks
© Suttipun Degad |
Security & privacy

Scam warning: Think twice before you click that Google Docs notification

Cybercriminals are getting better every day at finding new ways to rip people off. If it’s not taking advantage of thousands of flight cancellations, they aim at those working remotely from home.

A popular tool for remote workers is Google Docs. The online word processor and editor allow for creating and collaborating on documents. It is used by tons of companies and individuals.

But just because Google develops the tool doesn’t mean it can’t spread malicious content. Read on to see how Google Docs is being used to spread malware.

Here’s the backstory

The word processing platform is incredibly robust, allowing for powerful functions and editing on par with Microsoft’s Word. And since Google Docs is based online, users can share and edit a document if changes need to be made.

There is a comments function where users can tag others to get their attention on a change. Like how social media works, a user will insert a ‘@’ and then click on the intended recipient. The other person will receive an email to alert them to the comment.

Google Docs comment
Credit: Avanan

Usually, this process is relatively benign. But hackers have found a way to abuse the system. The problem comes from the fact that external links are allowed in comments. Google doesn’t check these links, allowing for malicious content to be distributed.

Now, scammers are sending links that lead to malicious websites that attempt to install malware on your device. One reason this spear-phishing scam is so effective is recipients don’t see the sender’s email address, as only a name is displayed. This makes impersonating contacts easier and makes the message seem authentic.

In a report from Avanan, tricking Google Docs users into clicking on malicious links has been used since October of 2021. While Google might be aware of the flaw in Docs, the company is yet to do something about it proactively.

What you can do about it

Criminals rely on you to simply glance over a sender’s name without inspecting the email address. If you’re ever tagged in a Google Docs comment, verifying the sender actually sent it is critical. Reach out to the sender before clicking links in the message to ensure it’s authentic.

There are a few other things that you can do to stay safe online and while using Google Docs.

  • Where possible, check the sender’s email address and their name in the document. If something looks strange to you, back away immediately.
  • Never click on links or download attachments in emails or texts when the message is from a stranger.
  • Have strong antivirus protetion on all of your devices. We recommend our sponsor, TotalAV. Get the Best Security Suite for 2021 and save an exclusive 80% at That’s just $19 for an entire year of protection.

Keep reading

There’s a new setting in Google Docs you should seriously consider changing

Scam Alert: Robocalls trick victims with fake COVID-19 tests

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me