Google on Wednesday confirmed a clever phishing email spread to several users by appearing to invite people to edit a Google Doc. If you received such an email, delete it immediately.
The email attempted to gain access to Google accounts, including the ability to read, send, and delete email, and manage a user’s contacts. Seeing as this is a scam, those are obviously not permissions you want to grant.
In a statement, Google said it has taken action to protect users against an email impersonating Google Docs, and has disabled the offending accounts.
“We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again,” Google’s statement said.
— Google Docs (@googledocs) May 3, 2017
There are some telltale signs the email being sent around is indeed a scam. Although they arrive from legitimate emails, they’re being sent to “hhhhhhhhhhhhhhhh” email addresses, with actual human users Bcc’d. I got one around 11:39 a.m. PST in the early afternoon on Wednesday.
Once you click the link in the email, you’ll be taken to a page that lets you pick your preferred Google account, followed by another page where it requests access. Twitter user Zach Latta made a short video showing off how it all works.
— Zach Latta (@zachlatta) May 3, 2017
What’s absurd about the phishing attempt is how the third-party app was allowed to name itself Google Docs, giving it an aura of authenticity. I’ll admit I clicked on the link once I received the email, but ultimately ditched the page before allowing access.
If you happened to fall for it—it happens to the best of us—you can easily revoke the app’s access. It doesn’t appear any passwords have been compromised in the scam.
- Go to https://myaccount.google.com/permissions
- Find the app called “Google Docs” and revoke all permissions