Today I was in a groove, productively going through e-mails, knocking out replies and tasks like it was nobody's business. Then all of the sudden, I fell for it. I can't believe I fell for it. I KNOW BETTER. Seriously, I can't believe I DID IT! Then I realized, at some point, we have all done it. "Done what?" you ask. Well, at some point, we have all fallen for (or will fall for) the VERY convincing bait and click.
And click my productive pointer finger did.
I clicked and opened the "You have just received a Google Doc from (insert e-mail contact name here)" e-mail I thought a client had sent me. I know. I know what you are thinking, "WHY would you click on it, it was so OBVIOUSLY a hacked e-mail?" Well, I clicked because I do receive legitimate Google Docs requests on a regular basis. I clicked because I was in a productive mode. I clicked because I wasn't thinking, and I didn't realize until it was too late that this e-mail was NOT LEGIT.
At first I panicked. I thought, "Oh no, I clicked, what do I do, I think I just broke the internet". That is when my sanity quickly clicked into hyper drive and I went on full alert to to remedy my click-happiness:
1. Go to your Gmail account’s permissions settings at https://myaccount.google.com/permissions.
2. Remove permissions for “Google Docs,” the name of the phishing scam.
This snippet of advise from Sarah Jeong is also helpful:
I am a pretty seasoned pro and rarely fall for these kinds of scams. If I fell for it, I thought others might too. To help yourself become more tech savvy, we recommend checking out our Cybersecurity classes. We have classes for any level of user (newbie to super techy). I hope my experience helps you. This is an excellent article from Jake Swearingen over at NYmag.com. We hope it is helpful for you too.
"A very convincing Google Docs phishing scheme is racing around the internet right now, which means you should avoid clicking any weird Google Docs that have been emailed to you recently — even if it’s from someone you know. It’s spreading incredibly quickly.
If you click the link, it asks for some access permissions to your Gmail account (which actual Google Docs links would not need), and then spams everyone in your contacts with a link to a Google Docs file. They, in turn, email everyone in their contacts, and so on. All of them seem to include the email address “firstname.lastname@example.org.
”What exactly the phishing accomplishes in unknown, but there’s an excellent explanation of how it works on Reddit: "New Google Docs phishing scam, almost undetectable from google"
It’s not the first time Google Docs has been used like this. There were widespread Google Docs email scams in 2014, 2015, 2016 — if you stare hard at those numbers, you can almost see a pattern forming. This one does seem to be more subtle and advanced; it only asks for permissions, not that users enter their password. It’s also widespread — hitting media organizations, technology companies, and entire schools.