someone typing with warning sign

Google Docs Scam Email Causes Chaos

Published 17 August 2022

Chaos caused when Google docs were hit by a phishing scam. 

Earlier this month, Google users were shocked to discover that a phishing scam had been targeted at them; personal and business users alike. Emails were sent out to millions of users, all claiming to be from Google themselves. We had a look at these emails and they did a very good impression of Google’s own automated emails, which are generated when someone shares a Google Doc with you. The links within the email, if clicked (don’t), took users to a genuine Google login page, asking for Google Docs to be granted permissions to various elements of your Google account. This is a standard screen for Google users, so many people accepted. However if access was granted, the hackers behind the email then had access to all data stored in the users Google account. For business users who utilise Google Drive for storage or backup of their company data, this made their blood run cold. From examination, the hackers can only gain this access if the victim allows the request, but if the links in the email were clicked it did also send the email to everyone in your contacts list, spreading it further. So, what can we learn from this?

The Danger Of Hyper-Connection

Well the first thing worth noting is that Google users were the intended targets here, and there may be a very good reason for that. Google has always been a firm advocate of connectivity and sharing of information across devices. Unfortunately this means that all of your data is being stored in a centralised cloud server and distributed to all of your devices from there, making it much easier to access than if it were spread out. This scam serves to highlight some of the dangers of hyper connectivity in the modern world. In the past, a hacker would have to work quite hard to get hold of your data, as it would all be stored in different places. If they wanted information from your computer and your phone, they would have to crack both of those devices to get it. But thanks in part to Google’s technological advances, hackers only have to get their hands on your Google logins in order to access everything they need, from files to business data, passwords and even bank logins, if stored in Google Chrome’s keychain.

Hackers Are Getting Smarter

As quickly as advances happen, hackers are quick to catch up and then overtake them. This particular attack was a very sophisticated and well planned one – much more so than the usual phishing attempts we see. This, combined with some other examples, leads us to believe that scammers are responding to the general public’s increased knowledge of what to look out for, and are trying out new ways to fool people. For example, we have always advised people to check the spelling and grammar of any suspicious looking emails – as this is a big giveaway for phishing. But these new schemes have featured flawless English. Imitation of well-known brands is common, but never to this level of sophistication. This is the reason that so many people were fooled by this scam – just shy of half a million users in fact – it was very well done indeed.

Using Genuine Links For Nefarious Purposes

The final reason this attack was so successful is simple – the phishing email used a genuine link to a genuine Google page to entice people into clicking. An easy tell for a phishing email is hovering over any links with your mouse to give you a preview of the link location. This will either show you the real site and prove the email to be genuine, or a strange URL likely to contain malware. But this attack sent users to a genuine Google sign-in screen, creating confidence that users weren’t being scammed. But from filling in their details on this page they are asked to ‘continue to Google Docs’ and that’s where the ingenuity happens. This sends you to a third-party web app that is simply named Google Docs, which gives phishers access to your email, address book and anything else kept within your Google account. It is working within Google’s system and taking advantage of the fact that you can create a non-Google web app with a misleading name.

Google has already reacted to this and shut down access to the million accounts affected in that short space of time. If you did click on this email, you can revoke future access by going through Google’s ‘connected apps and sites’ page, where it will appear as ‘Google Docs.’ For business owners who rely on Google Drive as their storage and backup, this scam is a rather startling jolt to their comfortable environment. While it may be difficult to admit, sometimes simply using an out-of-the-box third-party solution just isn’t secure enough, particularly when you are handling sensitive information of any nature.


For more information on how Bridewell’s services can support your organisation, get in touch with our team for a confidential conversation.