Poor journalists. These days they simply cannot catch a break. They're getting called out by President Trump as being "fake" media whenever they happen to question him. Ditto his advisers, and double ditto his supporters. And now, on top of everything else, journalists have been targeted by a new phishing scam that's more sophisticated than your average bear. If you happen to get or open the fake Google Doc invite, there are a few steps you can take to avoid further breaches of your privacy.
According to Gizmodo, a vast number of journalists from media outlets like BuzzFeed, Vice, and New York magazine, were sent an unsolicited email inviting them to open a Google Doc. While Gizmodo reported that the email invite might not look quite right, it looked legitimate enough to fool more than one person. One thing to watch for, as BuzzFeed noted, is the phishing email appears to be addressed to firstname.lastname@example.org, while the actual email address of the user is in the BCC line. Once the email has been opened, the user is taken to a new page that asks to be allowed access to your entire Google account by clicking on a link. Through that link is how the hacker would be able to implant malware, steal information... any number of misdeeds.
An unknown organization began the phishing attack started around 11:30 a.m. Pacific Time on Wednesday. And while journalists have been targeted, they are by no means the only ones. Many school districts and libraries are also reporting that they have been attacked by this phishing scam:
If you happen to open the Google Doc or are worried that your account has been compromised, there are steps that you can take. If you clicked on the link to the bogus Google Doc:
- Change all of your passwords immediately (while it doesn't look as though the attack was intending to collect login information, it's better to be safe than sorry)
- Send an email to your contacts posthaste advising them not to open the invitation to the Google Doc
- Go to the Google Security Checkup and go through the checklist.
- Pay close attention to the Account Permissions section. Check for "Google Docs," and remove it. It's not the real Google Docs.
If you open the Google Doc, every person you have ever emailed will be emailed, which means each person on your email list can be hacked by the same cyber attack. Nobody appears to know precisely what this widespread scam is hoping to accomplish, according to The Atlantic. Whether the hackers are hoping to gain personal information, or credentials, or install malware... it's still up in the air.
But there is one thing IT experts agree on: this phishing attack was fast, efficient, sophisticated, and dangerous.