What is the Google Docs phishing scam?

What Happened?

A flaw within Google Drive was exploited to send out seemingly legitimate push notifications and emails from Google, If a Gmail user clicked on the “Open in Docs” button in the email, they were taken to a real Google-hosted page and asked to permit a seemingly legitimate service, called “Google Docs”, to access their email account data.

Giving the permission allowed scammers to access the email account, contacts and online documents. The malware then emailed everyone in the victim's contacts list in order to spread itself.

Potential Consequences

The phishing scam itself is nothing new – which is to get you to click on a link within a message. The scariest part about this Google Docs scam is that the emails and notifications it generates come directly from Google. On mobile, the scam uses the collaboration feature in Google Drive to generate a notification inviting people to collaborate on a document. Google blocks millions of spam mail each day, but this message really catches people off-guard since the notification or email comes from Google itself.

To learn how to secure Google Drive read our guide here. Or if you’d like to use a similar alternative to Google Docs, we have a great list of secure Google Docs alternatives here.

How can I tell if an email from Google is legitimate?

Strange language, nonsense names and newly registered websites are a dead giveaway. People targeted by the Google Docs email scam receive Google Drive emails and notifications in Russian or broken English, asking them to collaborate with people with nonsense names. If you click on the link within these messages you’ll be taken to a scam website which is usually registered only a few days before, and full of click bait about prize draws and giveaways.

You can report scam emails, and Google documents to the Google abuse team. To report abuse to Google about a document simply click ‘Report abuse/copyright’ from the ‘Help’ menu. To report a spam email to Google, click ‘More’ next to ‘Reply’ and then click ‘Report phishing’.

Is the Google Docs Phishing Email Still Active?

Google has removed documents which were used in the Google Docs email scam, after they were reported by victims. We assume that the security flaw which allowed scammers to generate notifications from Google, has been fixed – but it's best to stay vigilant. Online scams have quadrupled since the pandemic and with most of us working from home scammers are finding incredibly clever ways to hide their tracks within phishing emails.

What Can You Do to Protect Yourself?

A closer look at the emails shared online offer some clues to help you distinguish phishing emails from legitimate emails.

• The email appears to come from a genuine person in your contacts, and the subject line reads something along the lines of “[Your Friend] has shared a document on Google Docs with you.”
• Included on the string of recipients is an email address that begins in “hhhhhhhhhhhhhh” and ends in “mailinator.com.” Mailinator is a website that lets visitors obtain a temporary and disposable email address.
• In some cases, the suspicious Mailinator account appears in the email’s BCC field.

If you get an email that fits the description above, delete it immediately. If you’re concerned that your account might have been compromised, you can go to Google’s account management page, select “Sign-In and Security”, and then “Connected Apps.” Look for “Manage Apps” and revoke access to untrusted apps.

Rule #1: To protect yourself from phishing attacks, never click on any email links and do not open any attachments unless you are positive that the email comes from a legitimate source. The best way to verify the source is pay close attention to the sender’s address.

For added protection always use two factor authentication (2FA) on your accounts. When enabled, you’ll need to answer a secret question, or use a fingerprint, as well as your password to get into your accounts. This is a great way of securing yourself if your passwords ever get stolen. One of the best ways to secure your data online is by using a VPN. With a single NordVPN account you can protect up to 6 devices from accessing potential phishing sites, and hide your online activity from trackers.

NordVPN also has the Threat Protection feature. It neutralizes cyber threats before they can do any real damage to your device. TP helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.