On Wednesday, a fresh email scam swept through millions of inboxes: millions of Gmail users received a message suggesting that a friend or colleague had shared a Google Doc with them.
Early reports indicated that the scheme was geared toward journalists, with up to 150 illicit messages being sent per minute; Google eventually reported that up to 0.1% of its one billion active accounts were affected. The email, which appeared to be addressed to an address like firstname.lastname@example.org with specific addresses listed under BCC, tricked users into thinking a real document had been shared with them and asking for them to click on an “Open in Docs” button. That led to a page that asked for permission to access a user’s Google Drive and contact list — another click would then lead to the fake email being sent out to everyone in the affected person’s address book.
If you fell for the scam, don’t worry — the damage was quickly mitigated, as Google disabled accounts connected to the offending email and stemmed the phishing tide within one hour. Google released the following statement:
“We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”
Aside from email contact lists and third-party app permissions, it’s not clear what other kind of information scammers were after. But in this day and age, an event like this demonstrates that anyone is vulnerable to cyberattack, and any Google user should use this as motivation to review their privacy settings and enhance their online protections by reviewing the following steps.
If you aren’t sure how to do the following steps, or are worried about how they might impact your business, contact Hoola Tech.
- Change your Google password! This is the easiest way to quickly enhance personal security. Visit myaccount.google.com, click on “Signing in to Google,” click on “Password,” and change it to something unique, with a mix of upper- and lower-case letters, numbers and symbols that add up to a password longer than eight characters.
- Activate two-factor authentication.
Even if hackers did manage to steal important information using yesterday’s scam, two-factor authentication, which requires both a password and a unique code delivered to you via text message or email, would prevent them from compromising your account. From myaccount.google.com, click on “Signing in to Google” again, then click on “2-Step Verification” and enable it. If 2-fact authentication is available on any of your accounts, use it!
- Perform a Google Security Checkup.
This process checks your settings and activity to ensure that you have approved the third-party apps and other plug-ins that can access your Google account. If scammers got in yesterday and changed any settings, you can block them using this process. Click myaccount.google.com/secureaccount and follow along as everything is double-checked. It’s a good idea to perform this a few times a year, particularly after any newsworthy scams occur.
- If you receive further suspicious emails, report them as junk or spam to your email hosting service or IT provider.
Every Gmail user who immediately received the Google Docs scam yesterday and reported it as junk to Google helped them quickly identify and resolve the problem. Even the best technology requires smart, savvy human beings whose insight and intelligence can help things work properly.
If you would like to improve the IT security of your company, consider switching to Hoola Tech! We help make sure you can worry less about your I.T. and more about growing your business.