News of the Google Docs phishing scam rocked the digital world late Wednesday afternoon. Google submitted a statement via Twitter encouraging Google users not to click through the suspicious email as they investigate the phishing email. They urge users to report it as phishing if they come across the masqueraded email.
The spammers sent out the malicious email, which was disguised to appear to be sent from someone the recipients knew, but instead of shared information, the users who clicked the link were asked to grant permission to give access to their contact list and Google Drive. This allowed the phishers access to even more emails, thus giving them an extended reach in the scam. At this point, it’s unclear how many people have been affected by this particular phish.
Meanwhile, Google has done due diligence in trying to neutralize the phish, including disabling the offending accounts, removed fake pages, pushed updates through Safe Browsing and put their abuse team to work in order to prevent this kind of “spoofing” from happening again.
Among the targets were media reporters from various outlets, many of which are reporting that the scam is especially scary due to the fact that it incorporates many details–including Google’s new redesign–that make it appear completely legitimate.
Thankfully, Google’s quick response (we’re talking within one hour, here) most likely saved a lot of users from stumbling across this vicious phish, but what can you do to protect yourself against email phishing in the future?
Don’t even think about touching that thing.
We’re serious about this one. You need to treat any suspicious emails like poison–this is especially true for small businesses who are increasingly becoming targets for phishers. Cyber-criminals are finding more and more ways to masquerade as trusting contacts, so you need to carefully examine any email that comes through your inbox prior to clicking through it. We get it, it’s become a mindless part of the day-to-day to allow permissions from sources such as Google Docs, but we urge you to be more mindful of who you may be allowing access to your personal information.
The Devil’s in the Details
Hover over that link. Are there any irregularities? Misspellings? These are often tell-tale signs of a scam. Look carefully at the details prior to opening; it may say it’s from “Your Friend Joe”, but a quick hover over the address may reveal a suspicious sender. As with allowing permissions from services you use your email address for, it can be a thoughtless task to scan through your emails, opening each one without looking at who you could be inviting into your digital world.
Stay Safe with a Secure Connection
If you look closely at the web address you’re on, you’ll be able to see if it’s protected by an SSL (read more on that here). This is essential when you’re entering your personal information or giving permission from an outside site to access your information. If a site is equipped with https, it means they have gone through the proper channels and paid a premium to ensure their users can browse securely. It’s unlikely that the nasty phishing scammers would be able to obtain such a secure distinction.
Utilize Multi-Factor Authentication
Google (along with many other services), offers users the gift of multi-factor authentication, which prompts you to enter a code texted to your phone whenever you log into your account from an unrecognized computer. It’s one of the most simple, yet effective ways to prevent an unauthorized user from accessing your account and engage in malicious online activity.
That’s all fine and good–we know you’ll heed our warning and take our advice from here on out–but what if you’ve already been fooled hook, line and sinker? The first line of defense after you’ve been baited and hooked by a phisher is to revoke third-party access to your account. This is especially useful in the latest Google phishing attack. You can go into your account permissions and revoke access to Google Docs.
As with any scam, you’ll want to change your password for future protection. You never know what information a phisher could have stolen while allowed access to your account. It’s best to change your password as often as every 90 days to keep yourself up-to-date on standard security measures.
We sincerely hope you avoided this scam, and we aim to use this opportunity as a means of education for our loyal customers. Small businesses can lose everything when targeted by a phish, and it’s our goal to make sure that you do not fall prey to a scammer now or in the future. Stay safe in the digital world!