Hackers and other “phishy” characters are getting smarter. Their latest trick is an innocuous-looking email in your Gmail inbox from someone in your contact list and that looks like an invitation to view a Google Docs file. You click it. What happens next? Well, you end up handing access to your Google account to the hacker. And also to your credit cards and banking accounts linked to the Google account.
The email looks quite genuine and appears to have come from someone in your contact list (or someone in a friend’s contact list). The only giveaway is that it is addressed to "hhhhhhhhhhh" (or something on these lines) in the address field, but problem is, many people hardly look at the address bar.
The email invites you to click a button to access Google Docs. When you click that button, it asks which of your Google accounts (if you have multiple accounts) you would like to use to view the document. Once you pick an account, it asks for permissions to manage your contacts and mails.
Who reads permissions, right? Big mistake. Once you grant it permission, it takes over your Gmail account and can access all your linked accounts to it. Which means, if you’ve got your credit cards and banking accounts linked to the Google account, the hackers can easily get access to them.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.— Gmail (@gmail) May 3, 2017
How to avoid being phished? Just don’t click any Google Docs you didn’t expect that come from contacts you are not sure about. Also, even if you have clicked the link, please DO READ the permissions it is asking for. Never grant permissions to documents (or apps) you are not sure of.
Earlier, hacking involved getting you to download a malicious file, which would then instal snooping software on your phone or laptop. But this new phishing scam takes it to a whole new level, by seeming genuine.
What to do if you are already a victim? The only thing you could do is to go to your Google Security Settings and remove permissions for all linked apps. Then change your account password to try and stay secure. And hope for the best.
As a general rule, always check what permissions apps are asking for. Take time to read the fine print and you won’t regret it.