Google Docs Phishing Scam - Tricks User To Give Access To Malicious Third Party App

Home / TitanHQ Blog / Google Docs Phishing Scam - Tricks User To Give Access To Malicious Third Party App

Posted by C Henry on Thu, May 4th, 2017

There’s a clever phishing scam doing the rounds – the potential victim receives an email claiming to be from a Mailinator account, which they dispute is related to their service.

The email reads as follows:

Once clicking "Open in Docs," victims were asked to grant access to their account to a fake Google Docs app, which takes advantage of that access to highjack the victim's contacts list and use it to send out identical phishing emails to replicate the attack.

The sophisticated scam is very believable as it worked through Google's system. Most phishing scams try to steal personal information from victims by leading them to fake versions of real websites from an email.

Google reacted swiftly to the attack by shutting down the rogue app and adding warnings to suspected phishing emails.

What to do:

Tell your users not to click on any Google Docs invitations they received on Wednesday.
If they suspect their Google account may have been compromised: Tell them to go to https://myaccount.google.com/u/0/permissions to check what apps have authorized access. If they see a "Google Docs" app authorized on Wednesday they should remove it as well as any other apps they don't recognize.
Make sure you're prepared for additional phishing emails.

Google issued a number of statements detailing what happened and how it's protecting users from such exploits explaining that fewer than 0.1% of Gmail users were affected. They were also able to stop the scam within approximately one hour.

While phishing techniques are getting more sophisticated, there are lots of things users can do to avoid being phished. IT pros need to ensure their organization deploys a powerful spam filter that scans inbound and outbound email, provides RBL blocking and pattern filtering. Spam filters vary in effectiveness and are only part of the solution to preventing intentionally malicious attacks — especially phishing emails.

Be on the lookout.

All I want for Phishmas is…next-generation inline phishing protection (ICES)

Selina Coen

Discover the risks of holiday phishing and fortify your defenses with TitanHQ's ICES solution, PhishTitan—read now to secure a safe and joyous festive season.

28 Nov

Cy-BOO!-Security Awareness Month Competition Winning Entries

Selina Coen

Explore the chilling tale that won our Cy-BOO! Security Awareness Month Competition, revealing the eerie truths of cybersecurity in a hair-raising narrative.

19 Oct

Cyber Horror Stories of 2023: Unmasking Terrifying Breaches

Selina Coen

Step into the spine-chilling world of cybersecurity horrors this Halloween season. Uncover hair-raising tales of data breaches and cyber threats haunting major companies in 2023.

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on USA +1 813 304 2544 or IRL +353 91 545555

Google Docs Phishing Scam - Tricks User To Give Access To Malicious Third Party App

Be on the lookout.

Related Articles

All I want for Phishmas is…next-generation inline phishing protection (ICES)

Cy-BOO!-Security Awareness Month Competition Winning Entries

Cyber Horror Stories of 2023: Unmasking Terrifying Breaches

Never Miss a Blog Post

Talk to Our Email and DNS Security Team