Life

What To Do If You Open The Google Doc Phishing File

by Kiersten Hickman

If you're at all active on Twitter or social media, it's likely you've heard of the Google Doc phishing attack causing some uproar amongst faithful Gmail users. (Bustle has reached out to Google for comment on this attack, but has not yet heard back.) On the bright side, though, attacks like this have happened in the past, and there are ways to prevent (or fix) anything that has happened. If you or someone you know has fallen victim to this, then I’m sure you’re wondering what to do next if you unfortunately open the Google Doc phishing file.

(Update: In a comment to Bustle regarding the attack, Google stated, "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.")

First, here’s how to look out for it: If you receive any Google Doc links that have a generic “Documents” or some other label, that should be your first red flag. Don’t open anything if you may not know what it is or who it’s coming from. However, there have been some cases where you will know who the file is coming from — but this can still be the attack, because it seems the Google Doc is being sent to people from email addresses they know. The trick is to check who is cc'ed on the email. During the most recent attack on May 3, some people have received Google Doc links with “hhhhhhhhhhhhhhhh@mailinator.com” cc'ed. If you see this, or any other strange email addresses, don't open the Google Drive link, and delete it immediately.

Now, if you did end up opening the file, here’s what you do next: Change your password immediately. By opening that file, you sent data to the person who hacked that Google Doc, giving them full access to your account. It may also be safe to go through this Gmail account recovery security checklist. You can also report the attack to Google. Once you have gone through these tasks, your account will be secure.

So how exactly does this work? According to Gizmodo, by clicking the link to the document, your credentials will be sent to a PHP script on a compromised server. They do this by creating a folder in a Google account, marking it as public, and sending it out. So while there is a document created, the actual link to the document is what will steal your information.