A malicious phishing scam is bypassing spam folders and creeping into inboxes far and wide Wednesday. In this case, it's some sophisticated malware masquerading as an invitation to join a Google Doc — and if you've received one or more of these convincing emails, it likely appeared to be from someone you know. And as journalists and others are taking to social to warn one another of this potentially dangerous scam, it's important to get up to speed on what the fake Google Docs emails are in order to avoid falling prey. So, first things first: If you receive an out-of-the-blue invite to join a Google Doc — even if it's from your boss or your best friend — double check its authenticity with that person directly before proceeding.
That's because it's very likely that what you've actually received is not a real invitation to join a Google Doc at all. Instead, the scam is operating by disseminating a third-party web app that's merely called Google Docs, according to The Verge. The the unknown number of victims of the widespread attack who clicked the link caused the email to be forwarded to everyone in their contacts, according to BuzzFeed News. The victims who went a step further and granted the phishers access to their Google accounts from a real Google webpage surrendered access to "a vast amount of personal data," BuzzFeed's Blake Montgomery wrote.
Right now, it's unclear who is behind the scam and what that person, persons, or entity's true goal is.
Journalists from BuzzFeed, The Verge, Business Insider, The Atlantic and more have been targeted. Some school districts have as well. According to Gizmodo, the bogus emails are addressed to "hhhhhhhhhhh," and they look a little off from Google's normal emails. Still, the subject line is identical to the one that would announce the arrival of a legit Google Docs invite: "[Someone in your contacts] just shared a Google Doc with you." But, again, unless you speak with that person directly and learn otherwise, it's smart to assume that they did no such thing, and that following through on this could mean a breach of personal security.
Quartz reported that this specific scam is particularly notable in 2017 because lots of people began receiving it at the same time. Also, it sailed straight through their spam filters and into their inboxes. That's a very early-2000s phenomenon.
In short, beware the Google Doc.