Google Docs phishing scam

Photo(Jennifer Abel @ ConsumerAffairs) There's a dangerous new phishing scam, first discovered by security experts at Symantec, that seeks to steal the passwords and other confidential information of any Google account holder.

It's quite sophisticated compared to most phishing attempts, but even so: you should be able to protect yourself provided you pay extra-close attention to details, and also remember the phishing-protection rule “Don't call us; we'll call you.”

Here's how the newest scam works: you, the would-be victim, get an email with the subject heading “Documents”; the body of the email includes a link to an “important” Google Docs document.

Hopefully, if you'd received such an email you'd already know to ignore it, since it's neither personally addressed to you nor from any sender you actually know and recognize. But suppose you decided to click on this unknown link from an unknown sender anyway — what would you have found?

Looks convincing

Here's where the sophistication of this new scam comes in. In most phishing attempts, if you clicked on such a link (and did not immediately infect your computer with all sorts of malware as a result), you'd usually be taken to a page whose address, visible in your browser bar, is obviously not that of the company the scamsters are pretending to be – as in, you get a fake email allegedly from Google, but the link leads to a page with an unfamiliar (and distinctly not Google) web address.

However, as the official Symantec security blogger warned on March 13, if you click on this new Google-based phishing link:

“[T]he link doesn't go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is shown. The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages.”

In other words, you think you're logging in to your actual Google account, so you type your email address and password as usual, not realizing that your password is not being read by the real Google to verify your identity, but by phishing scammers to steal your identity.

Still not too late

However, even if you were caught off-guard enough to click on the unsolicited Google Docs link that some unknown sender e-mailed you, it's still not too late to detect certain details indicating a scam. Remember two sentences ago, when we said “you type your email address and password as usual”? That's the detail which sharp-eyed Google account holders should recognize as scammy: usually, when logging into legitimate Google accounts from your own computer, you don't have to type your email address at all, only your password.

As Gizmodo writer Adam Clark Estes pointed out: “if you show up at the log-in screen, you should notice that it doesn't recognize you as a Google user (if you are a Google user).”

Note to non-Google users who don't understand what Estes is talking about here: if you have a Google account, or more than one, anytime you visit a genuine Google page it will recognize you, and you'll see your name, avatar and other personal features as applicable — although you still won't be allowed access to your Gmail or any other personalized, password-protected Google things until you actually type in your password and only your password — your actual you@gmail.com email address is already there.

But with this fake Google phishing scam, you only get a generic login page requiring you to type not just your password, but your email address itself; the genuine Google login pages only require this if you're accessing your account from a public computer, or a brand-new one you've never used to sign in to Google before.