Google Docs has and is continues to be a staple part of my life. From taking notes of events to full length articles to even handling the text for my occasional blogs, Google Docs is pretty much the best thing to happen since Microsoft Word. The fact that you can collaborate in real time with people also means you save time when it comes to editing documents so you no longer have to keep attaching and reattaching documents.
Unfortunately, this very same feature was used to exploit Google Docs. In the wee hours of the morning, users received an invitation to edit a Google Document from an unknown sender. If one were to click the link, they would be redirected to a sigh in screen that looked legitimately like Google’s new sign-in screen. This essentially allowed a third party app to gain access to your contacts, and email. From there, it would be possible for the app to send this spam email to all your contacts and so on and so forth. In response, Google issued a statement saying that they are aware of the issue and that they would investigate it. They also encouraged those who received the email to report is as Phishing.
There were subtle differences in the email compared to normal emails. For example, it lacked the Google signature, and the spacing too was tighter than usual. Delving deeper, if you look at the sender, the email address showed up as “email@example.com”. This in itself should be a cause for suspicion.
The Google Docs Attack isn’t the first one
Phishing attacks of this type have been around since early 2000’s and with each attack, they become harder to spot so that even seasoned IT professionals can get fooled as well. Phishers now have the ability to use actual Google accounts and develop third-party plugins. These plugins can interact with Google services thus luring victims with the sheer authenticity of the web page itself. However, all is not lost and if you were a victim of the Google Docs phishing attack, fear not for there are a few steps you can take to make sure it doesn’t happen again.
First and foremost, stop clicking random links in your email just because you can. In all seriousness, go through the email before you click the link. Check who the sender of the email is. If it’s an unfamiliar contact, then the recommendation would be to stay away from it. Even if it says that a known contact shared a document with you, go the extra mile and contact said person to see if he/she actually did share something.
Revoke Access to unwanted 3rd Party apps
Next up, If you already received an email of that nature and you clicked it, immediately go to the Permissions page of your Google account and proceed to revoke access to an app called Google Docs. This will stop any third party apps using Google Docs to gain access to your account. Obviously, Google Docs wouldn’t need any sort of access from your Google account as its part of it anyway.
Strengthen your account with two-factor authentication
Change your Google password and also setup two-factor authentication. This is where in addition to entering in your username and password, you will also be sent a code to your mobile phone. So even if a hacker or phisher obtains your login details, they cannot get access to your account without the code. This also helps you verify that the google page you’re signing into is legit and not fake.
Use Password Alert by Google
Google has a tool called Password Alert. This triggers a warning if you type your Google account credentials into any page that isn’t affiliated to connected to Google. It offers little to no protection against scammers and phishers who use legit Google processes but it’s a start.
Overall, following these steps should keep you safe from phishing scams and protect your Google account from unauthorized use. Always remember, prevention is better than cure. Stay safe and be aware of what you click and where you enter your details.