Have you been a victim of the Google Docs scam?

Sarah Coles

Do you share documents online? Have you been fooled by the Google Docs scam?

Google has announced that the Google Docs system has been fooled by scammers, and up to a million users may have exposed their details to hackers.

See also: Why the '10 concerts' meme could be putting you at risk

See also: Scamwatch: tricky tradesmen with a woodworm scam

See also: Beware of these fake supermarket vouchers

The scam claimed to come from Google Docs, with the subject line claiming a contact has 'shared a document on Google Docs with you'. It invited people to click a link and follow instructions in order to edit a Google Doc.

Google Doc scam
Google Doc scam

Those who clicked the link were taken to a Google-hosted page, and asked to allow a service to access their email account data. If they granted permission, they will have allowed hackers to potentially access their email account, contacts and online documents. It then emailed everyone in their contacts list with the same message.

What can you do?

Google said it had caught the attack and put a stop to it within an hour, but anyone who clicked on it during this time may have exposed their details. It said in a statement: "While contact information was accessed and used by the campaign, our investigations show that no other data was exposed."

"We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We've removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again."

It added: "There's no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup." This is worth doing if you concerned you may have been affected.

You can also go to https://myaccount.google.com/permissions and see if "Google Docs" is listed as having access to your Google account. If it's there, it's the fake (the real one won't appear on this list). Select it, and click 'remove'.

Why this is a worry

Security experts say this represents a sophisticated development of the phishing scam, because instead of getting people to hand over their personal details, the scammers built an app that used Google's processes to enable them to access the data.

Raj Samani, Chief Scientist at McAfee added: "Phishing attacks remain the most common method of manipulating individuals into clicking on links and ultimately installing malicious content onto their systems. Taking advantage of trusted, well-known brands attempts to leverage the use of authority, resulting in the incoming messages to appear trusted to the consumer."

He said that the best way to protect ourselves is to be aware of the emails we are expecting, and be wary of anything unexpected - even if it comes from a trusted sender. He says: "Think twice before acting; go straight to the source through a different communication channel if you receive a link you were not expecting. Also, hover over links to see if it is a reliable URL. Or search online for other instances of this campaign, and what those instances could tell you about the email's legitimacy."