3 Lessons from the Google Phishing Scam

If you haven’t heard, a super-sneaky phishing attack posing as Google Docs recently rampaged among Gmail users. The cleverly disguised email only took a couple clicks (through a REAL Google site!) to access your email account and forward the phishing email to everyone in your contact list. Google reacted quickly to stop the attack, but it spread like wildfire while it was active because it was so hard to detect.
Here’s how it worked:

  • You receive an email from someone you know, who has emailed you before. There is link to open a Google Docs document they’re supposedly sharing with you.
  •  You click the link, and you’re taken to a real Google page, listing all of your real Google accounts.
  •  You are asked to allow to an app called “Google Docs” to access your email and contacts, no password or credentials required.

The trick was that the hacker used Google’s legitimate processes to create a 3rd party app that they simply named “Google Docs.” This one caught a lot of people off-guard, because it didn’t rely on normal phishing methods like email attachments, bogus links or spoofed sender names. The only way to detect the scam was if you happened to click on the author information for the app, which was a random gmail address.
Check out this video from Twitter to see the steps in action:

Although this attack has been stopped, there are a few important lessons we can learn here:

1. Be cautious of any app asking for access to your information

There are a TON of websites and apps out there that ask for your information. What was notable about the Google attack was that it gained access to your information indirectly through a legitimate, trusted service.
This is possible because companies like Google, Facebook, Twitter and Microsoft all work with 3rd party websites and app providers. Have you ever downloaded an app that says: “Sign in with Facebook” or “Sign in with Google”? By using those options, you’re allowing Facebook or Google to share certain information about you with another service, without giving away your password.

Google sign-in button
Sign-in buttons like this one allow 3rd party applications to access certain information from your Google account.

Most of the time, this is a really convenient service, allowing you to access many websites without separate login credentials. The problem is that it has become so commonplace that we don’t always think before clicking “Allow.” The Google attack is a good reminder to be cautious of these types of 3rd party requests, because copycats will certainly try the same trick.

2. The importance of immediate response

Despite how fast the attack spread, Google minimized the damage by responding immediately. If you look at this report from a Reddit user, you can see how quickly a Google employee jumped on the thread and elevated the issue to the appropriate team. The threat was resolved in less than an hour, and only .1% of Google’s users were affected.
Other businesses should learn from this example. Not only did Google’s team have the technical expertise to stop the threat, but they were accessible and even actively listening to their users. Businesses need to have a plan in place so they know how to respond in the event of a cyber attack. Additionally, they need to have a reliable IT resource who they can reach immediately and who they can rely on to solve the issue quickly and effectively.

3. Be vigilant, and when in doubt, don’t click

Hackers and cyber criminals are always coming up with new ways to try to compromise your information. We share a lot of information with companies like Google, and while their teams are doing their best to protect that information, they can’t catch everything. Ultimately, it’s still up to you to pay attention and avoid putting your personal or business information in danger.
If there’s ever any doubt about a link or you’re not SURE you can trust a sender, don’t click. Better yet, report anything that looks suspicious. Even an email from someone you know may not be safe – it’s better to pick up the phone and verify it than take the risk. Phishing attacks often rely on people clicking without thinking, so be careful what you click!