How I Almost Fell for the “Google Docs” Phishing Scam

Less than an hour ago, I received an email saying that a former student has invited me to view a Google Docs document. I hovered over the link and saw that URL was one at Google, beginning with https://accounts.google.com/o/oauth2/auth.

I followed the link and went to a Google login page. My Google accounts were listed there. But a suspicious feeling gave me pause, and I closed the “Google accounts” window.

Some moments ago, I learned that this wasn’t an ordinary phishing attempt. It is one of the more clever phishing attempts in recent memory.

  1. You get an email from a known contact.
  2. The “Open in Docs” link is to a google.com domain.
  3. You are taken to a Google accounts page, where you grant access to the fake “Google Docs” app.

The scam is “well designed” in that it doesn’t try to steal your credentials—username and password—but instead gets you to authorize the scammers complete access to your Google account. Even a strong unique password and two-step authentication won’t protect you.

I alerted a few colleagues earlier today, and as I did so, I felt like I was forwarding some chain mail–type warning that would have circulated twenty-odd years ago.

Leave a Comment