Snapping Out of the Cloud Comfort Zone: The Google Docs Phishing Scam

by

May 5, 2017

People wised up to email phishing, but scammers hit paydirt with the Google Docs scam. Don’t get too comfortable with the apps you constantly use in the cloud. Learn more about protecting yourself when using these apps on a daily basis.  

username_password

There’s a very strong chance that just this week, you received an email from a sender you know inviting you to open up a file in Google Docs but it turned out to be a fake request. Even after chatter of this scam took Twitter, Reddit, and other social media sites by storm, urging users to ignore the messages and not even long into Google Docs altogether, it raised some questions about phishing schemes. Google disabled Docs for a short while as they worked on eliminating the threat and all is well again, but despite Google’s timely remediation this also raises questions about the apps that we trust and use on a daily basis.

Let’s face it: phishers have had to become more inventive in order to get the information they want.

Most people with a basic sense of tech-savviness are well aware of phishing via email, where a scammer sends a bogus email that is trying to get your log-in credentials as well as sensitive information like your bank account and credit card numbers. Phishing emails have become more sophisticated in recent years, mimicking the domains and trusted users that a real email would come from, but most people are still aware of phishing to the point that they’ll ignore and delete the email if something looks off.

And usually it’s easy to tell when something is off: phishing emails often have spelling errors and email layouts that don’t match official communications from the sender they’re impersonating. Companies like PayPal also warn you about phishing scams directly in emails intended for you so that you can report spoof accounts. This attack however, was widespread and unprecedented. People expect a phisher to try something funny with their PayPal account, but not the group of expense reports your team was working on in Google Docs that you just invited people to.

What makes the Google Docs phishing scam so unique is that the phishers decided to go one step beyond. The Google Docs permissions screen didn’t look obviously fake. The scam worked within Google’s system by taking advantage of the fact that you can easily create a non-Google web app with a sinisterly similar and misleading name. The scam pages looked sophisticated enough that many people in higher-up positions inadvertently clicked on the permission screen, sending more fake Google Docs spam to their entire contact lists and frustrating IT departments nationwide.

It took a while before people realized it was a phishing scam and took to the internet to warn people from all walks of life to just take precautions and not even open anything from Google Docs, despite how familiar they are with the sender.

Snapping Out of Your Comfort Zone in the Cloud

If there’s a teachable moment to be found from this scam that fortunately was resolved quickly, it’s that you can never be too careful. Always carefully examine invites for document-sharing and collaboration to ensure that they are from the domains they are from and a trusted user initiated the invite.

Depending on your workload and how many clients or colleagues you are collaborating with, you’re likely to know in advance if a Google Docs invite is coming your way. But phishers took advantage of people because they know that it’s a common collaboration tool, and people just get comfortable in their accounts without having to do multiple log-ins to access the invite. You need to snap out of this comfort zone and pay attention to keeping your information secure.

Enable 2-factor authentification on your Google accounts and change your password every so often. If your Google Docs or other cloud account gets busy and cluttered, phishers are taking advantage of that so always get verification from your clients, co-workers, and the like if they invited you to view a document.

Phishers will only get even better at what they do, and they’re counting on your complacency. Don’t be a victim!

We're Integris. We're always working to empower people through technology.

Keep reading

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects? The Quick Take Managing IT projects effectively is crucial for ensuring success and maximizing ROI. Here are the best practices to follow: Define Clear Objectives and Scope: Set specific, measurable, achievable,...

What Is The Future of Managed IT Services?

What Is The Future of Managed IT Services?

What Is the Future of Managed IT Services? The Quick Take: The future of managed IT services for small and medium-sized businesses is bright, with the market expected to grow from $1.735 trillion to $2.173 trillion by 2028. Key trends driving this growth include:...

The Regulatory Outlook for 2025 and What That Means for Banking IT

The Regulatory Outlook for 2025 and What That Means for Banking IT

With a new administration coming in, 2025 promises to be a year of change. But will it significantly impact banking regulation and your bank’s cybersecurity? No one has a crystal ball, of course, but recent global outlooks for the banking industry seem to point to two...