Every savvy computer user knows to be wary of things like email attachments and hyperlinked text, especially (though not solely) when receiving an unexpected communication. It does not matter if the communication comes from a trusted source or not. In case anyone needs reminded of this, there is yet another phishing scam making the rounds, this time in attempt to dupe users through Gmail and Google Docs.
This latest scam is rather sophisticated. It is basically a computer worm masquerading as an email from a trusted contact. It asks the recipient to check out an attached Google Docs (or GDocs) file. Clicking on the link then takes the recipient to a legitimate Google Security page where they're asked to give permission for the malicious app posing as a Google Docs file. The permission request is to manage the recipient's email account.
It all looks very real to the recipient. The subject line indicates that a specific contact "just shared a Google Doc with you," which is how a legitimately shared Google Docs would appear in someone's inbox. If a user falls for this scam, the attacker gains robust permissions across his or her Google accounts.
The hack only works to full effect when a person when permission is granted, though if someone clicks on the link, it forwards the email to everyone on that person's contact list. That gives this phishing scam a great chance at succeeding and spreading—even though a user may have figured things out before giving permission, having simply clicked on the link would be enough to give the malware an opportunity to dupe someone else.
Google is aware of the scam and is taking steps to prevent it.
"We've pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again," Google said in a statement. "We encourage users to report phishing emails in Gmail."
A Google spokesperson told BuzzFeed that fewer than 0.1 percent of Gmail users have been affected by this latest phishing scam. There are currently more than 1 billion Gmail users in all, so that breaks down to under 1 million users. The number could have been higher, except that Google claims it was able to stop the campaign within an hour.