Google Docs phishing scamGmail users have already faced one advanced scam at the beginning of this year, so when the news broke yesterday that yet another round of eerily convincing phishing emails was making the rounds, many people were probably shaking their heads and saying, “Not again.” It’s no secret that phishing scams have grown rapidly in sophistication over recent years, as we saw this past tax season with thousands of companies and individuals alike falling victim to schemes designed to steal employee W-2s and other information. Wednesday’s attack, which reportedly targeted — among others — a number of news media members, including reporters from Buzzfeed, Motherboard and CNN, spread rapidly and was quashed by Google just as quickly, but made a definite impact. Keep reading to learn the details of this Google Docs phishing scam and why protecting your Google account in this instance was not as simple as changing your password.

Scammers created a fake Google Docs app to trick users into logging in

As reported by multiple outlets, on May 3, a phishing campaign was launched against Gmail users. The email was designed to look like an invitation to view a file through Google Docs, and when clicked, it took users to a realistic looking page which prompted them to connect their Google account to a fake app. Once connected, the app gained access to their email account and contacts, resulting in the spamming of their contacts with the same phishing email. It’s unclear who is behind the attacks, what their purpose is or how widespread it was, though it is believed that approximately 0.1% of its total Gmail users were impacted — which equals out to about 1 million of its more than 1 billion active monthly users. Official statements made by Google on Twitter indicated that it shut down the attack within an hour.

Changing your password is not always the answer

Although changing your passwords on a regular basis, and especially if you think you may have been victim of phishing or some other kind of scam, is certainly not a bad idea, it isn’t always the answer. In the case of this Google Docs phishing scam, affected users who merely changed their passwords would not be free from danger. Google uses a technology called OAuth that creates security tokens to allow them to log in or connect to different apps without requiring a password. It’s similar to the way you can log in to certain apps or websites using your Facebook account. The scammers in this case created a malicious app, designed to look legitimate, which users who fell for the scam connected to their Google accounts. Therefore, the only way to fully get clear from this scam is to check your account permissions and remove or revoke its access to your Google account.


You can do this through Google’s Security Checkup process, or by navigating directly to the app permissions page through your Google account settings. You want to look for an app called “Google Docs” and make sure you click the “Remove” button. It’s important to remember that if you use multiple Google accounts, you check the app permissions for each account to ensure that no other accounts were compromised. In general, it’s a good idea to regularly check this page to ensure that no apps or sites are connected to your account that you don’t want to have access. In this instance, Google acted quickly to remove the fake pages and apps that the scammers were using, but that isn’t always the case. It’s up to users to do their due diligence as well and keep an eye on their online privacy settings.

What’s the takeaway from all of this?

Using common sense and thinking before clicking on links is one of the best defenses you have online when it comes to phishing scams and other schemes, but as this Google Docs phishing scam proves, even the more savvy users fall for sophisticated scams from time to time. Therefore, you can also do your part to protect yourself by regularly reviewing your security and privacy settings for each social media site, email account or other website you use to ensure that you aren’t missing any signs that something is awry (and that you are using secure protections, such as two-factor authentication, when available).

Learn more about protecting your privacy and identity online by following our identity theft protection blog.