Phishing scam hits Google Docs
A phishing attack hit Google’s authentication system by sending users an email containing a fake Google Docs sharing link. If victims clicked the link, the attacker installed a web app via Google’s authentication system, which asked for permissions such as reading your email and managing your contacts. The dodgy app could then grab data including your contacts list, which could be exploited to further spread the attack.
In response, Google blocked the dodgy app and revealed a new warning tool that displays a message to Gmail users on Android smartphones when they’re about to click a link that goes to a known malicious site.
How will it affect you?
Although Google acted quickly to halt the phishing scam, more such ploys are bound to follow because the technique behind the attack remains open to abuse. That means you should be careful when opening links purporting to share Google Docs, and only click them if you’re sure they are safe. Because the link may appear to be coming from a known contact, it would be worth checking with that person first before clicking to open the link.
You should also check to see whether you have any unexpected apps authorised in Google. To do this, head to the My Account section of your Google profile and, under Sign-in & Security, click ‘Connected apps & sites’. You can then view the apps that are connected to your account, and remove any you no longer need or don’t recognise.
What do we think?
Google needs to do more than take out this specific attack, it needs to prevent similar ones from happening in the future. The warning message is a useful tool, but past performance shows that many people will likely ignore it and click through to the dodgy site anyway.
In the meantime, as usual, make sure anyone you know who isn’t as tech savvy as you is aware of this type of attack. You can also run a security check of your Google accounts at g.co/securitycheckup.