People wised up to email phishing, but scammers hit paydirt with the Google Docs scam. Don’t get too comfortable with the apps you constantly use in the cloud. Learn more about protecting yourself when using these apps on a daily basis.
There’s a very strong chance that just this week, you received an email from a sender you know inviting you to open up a file in Google Docs but it turned out to be a fake request. Even after chatter of this scam took Twitter, Reddit, and other social media sites by storm, urging users to ignore the messages and not even long into Google Docs altogether, it raised some questions about phishing schemes. Google disabled Docs for a short while as they worked on eliminating the threat and all is well again, but despite Google’s timely remediation this also raises questions about the apps that we trust and use on a daily basis.
Let’s face it: phishers have had to become more inventive in order to get the information they want.
Most people with a basic sense of tech-savviness are well aware of phishing via email, where a scammer sends a bogus email that is trying to get your log-in credentials as well as sensitive information like your bank account and credit card numbers. Phishing emails have become more sophisticated in recent years, mimicking the domains and trusted users that a real email would come from, but most people are still aware of phishing to the point that they’ll ignore and delete the email if something looks off.
And usually it’s easy to tell when something is off: phishing emails often have spelling errors and email layouts that don’t match official communications from the sender they’re impersonating. Companies like PayPal also warn you about phishing scams directly in emails intended for you so that you can report spoof accounts. This attack however, was widespread and unprecedented. People expect a phisher to try something funny with their PayPal account, but not the group of expense reports your team was working on in Google Docs that you just invited people to.
What makes the Google Docs phishing scam so unique is that the phishers decided to go one step beyond. The Google Docs permissions screen didn’t look obviously fake. The scam worked within Google’s system by taking advantage of the fact that you can easily create a non-Google web app with a sinisterly similar and misleading name. The scam pages looked sophisticated enough that many people in higher-up positions inadvertently clicked on the permission screen, sending more fake Google Docs spam to their entire contact lists and frustrating IT departments nationwide.
It took a while before people realized it was a phishing scam and took to the internet to warn people from all walks of life to just take precautions and not even open anything from Google Docs, despite how familiar they are with the sender.
Snapping Out of Your Comfort Zone in the Cloud
If there’s a teachable moment to be found from this scam that fortunately was resolved quickly, it’s that you can never be too careful. Always carefully examine invites for document-sharing and collaboration to ensure that they are from the domains they are from and a trusted user initiated the invite.
Depending on your workload and how many clients or colleagues you are collaborating with, you’re likely to know in advance if a Google Docs invite is coming your way. But phishers took advantage of people because they know that it’s a common collaboration tool, and people just get comfortable in their accounts without having to do multiple log-ins to access the invite. You need to snap out of this comfort zone and pay attention to keeping your information secure.
Enable 2-factor authentification on your Google accounts and change your password every so often. If your Google Docs or other cloud account gets busy and cluttered, phishers are taking advantage of that so always get verification from your clients, co-workers, and the like if they invited you to view a document.
Phishers will only get even better at what they do, and they’re counting on your complacency. Don’t be a victim!
Published on 5th May 2017 by Ian Brady.