Why the latest Google phishing scam was so successful

Gmail had a rough week this week as many people fell for a phishing scam that took over Gmail accounts all over the country. With our hyper-vigilant world we currently live in, why was this particular email’s validity so convincing for people? More importantly, how can you protect yourself from falling for a similar attack in the future?

The first problem was that it didn’t have any of the telltale markers of typical scam emails. The grammar and punctuation were on point. There weren’t any glaring mistakes. It was completely copied exactly from a legitimate email you receive when you are sent a Google Doc. You may typically overlook this, but when you receive an email from Google about a shared document, it will include the name of the file within the email, and the subject line of the email. This time, though, it wasn’t sharing an actual document. It was sharing an application called “Google Docs”.  The application was completely within Google’s ecosystem, which made it extremely easy to fall for.

It also usually came from a trusted contact. The contact it was coming from is another friend that already fell for the scam, unfortunately.

Since it was an application created within Google, it directed you to an actual Google login. This should be one of your first red flags. If you were to open a document shared by a friend, it would typically just open. Especially if you are logged into the account that the document was shared with.

After you log in with your Google account, you are then asked to allow the “document” to manage your contacts and emails. This is where your scam warning detector should start blaring in your ears. Anytime you are asked to press “allow” on ANYTHING, think twice before hitting that button. Once you allow the app control, it will turn around and email all of your friends the same thing.

The scary thing with this scam is that a simple password change is not going to fix the problem. You allowed the application control over your email. Much like you would allow a third party email app from your phone or any other application that you have given permissions to your google account. There is a lot of accounts someone can gain access to if they have access to your email. Each “forgot password” link becomes a window into your entire life.

To make sure you revoke access to the malicious app, it’s a good idea to do a security checkup with Google today by visiting this link.  This will help you know and revoke access to your account to ANY program or application you don’t recognize. It’s a great idea to check it out once a month!

Don’t be that person, spot the scams before they happen!