A new Google Docs phishing scam just reared its head a few hours ago, and it’s spreading like wildfire. Google appears to be taking action to stop it, but in the meantime: be super, super wary of Google Doc invites for now. If you fall for this one (and plenty of otherwise eagle-eyed people have already), it’ll blast out the bait to everyone on your contact list.
Here’s what you need to know:
- Clicking the link takes you to a real Google-hosted page, with a list of your Google accounts ready to click
- It asks you to select an account and provide an app called “Google Docs” — yes, they were somehow allowed to name a third-party app “Google Docs” — with account permissions
- As soon as you click the “ALLOW” button, this not-at-all-actually-Google Docs app now has permission to read your emails and email all your contacts… the latter of which it’ll start doing pretty much immediately, spreading the worm to pretty much everyone you’ve ever emailed.
This one is super sneaky; pretty much the only way to detect it before falling for it is to click the small “Google Docs” link on the actual Google-hosted page and notice that the developer info seems… off.