With about 1 billion users all over the world, Gmail is an attractive target for identity thieves looking to launch phishing scams. Email recipients are getting much more savvy when it comes to these scams, though, and are learning to find red flags that signal an email or website may be phony. Of course, with this increased awareness, that means cyber criminals are also getting better at creating more authentic-looking phishing scams—which is exactly what happened this week with Gmail.
On May 3, 2017, word started to spread that some Gmail users were getting fake invitations to view Google Docs. The emails came from trusted contacts and notified the users that these people wanted to share an attached Google Doc. After an individual clicked on the invitation, it took them to a real Google security page. On that page, the person was prompted to allow a fake Google Docs app to manage his or her email account.
Once the app gained permission, hackers had the potential to access everything in that person’s Gmail account—that means any personal data sent via email could be harvested and passwords for not just Gmail, but other website accounts, could be changed and hijacked. It also sent the worm out to everyone in the victim’s contacts, making it easy to multiply and spread.
The damage that could have been done is astronomical, but luckily, Google took control of the situation pretty quickly; the problem was taken care of within an hour. Google says they “disabled” the affected accounts and sent updates to all users. The company also said contact information was accessed and used by the scam artists, but it does not appear that any other data was exposed. In total, it’s believed that about 1 million Gmail users were affected by this phishing scam.
If you think you may have been a victim of the Gmail phishing scam, visit Google’s Security Checkup page. Under “Account Permissions,” check to see if there are any third-party apps that have been granted access to your account. If the fake Google Doc app is there, or any other apps you don’t recognize, revoke access to keep your account private.