News

Gmail Users Are Being Hit With a Convincing, Fast-Spreading Phishing Scam

gmail phishing scam google docs
Shutterstock | Thrillist

A convincing phishing scam hit inboxes across Gmail on Wednesday. The email appears to come from someone you know with the subject line "[Contact's Name] has shared a document on Google Docs with you."

If you click the link in the email, it will prompt you to give your password to a third-party application called, convincingly, Google Docs. That's not the actual Google Docs and maybe Google should have some method of stopping third parties from taking up its name. 

gmail phishing scam
Gmail screenshot | Dustin Nelson

If you give the fake Google Docs access to your account, it can read and send emails as you, as well as manage your contacts. The application will immediately email everyone you've ever emailed with the same spam message, according to multiple sources who have tested the scam.

One of the big giveaways the email isn't from who you think it is -- even though the sender will have the address of someone in your contact book -- is the email will be addressed to the fishy address hhhhhhhhhhhhhhhh@mailinator.com. Your address is hidden in the BCC field. Though it wasn't the case earlier in the day, emails are also prompting a spam warning (as seen above) from Gmail now.

gmail phishing scam
Google Permission Screengrab | Dustin Nelson

If you have granted access to the app and are looking to stem the tide of potential "bad things," head to your Google Permissions page (that's real, not spam). On that page, you'll see a list of third-party applications you have granted permission to access your Google account. Find the application named "Google Docs." (Again, it's not the real Google Docs, which would not need third-party access.) Select "Google Docs" and when the application expands you can click "Remove."

If you haven't received the email, be wary of anything coming through that looks like this. And always be skeptical when granting access to your account to a third-party app.

Since the attack started around 11:30 am ET, Google has taken steps to stop the attack. Google said in a statement that they've pushed an update to Safe Browsing and disabled the account the attacks stemmed from. 

Sign up here for our daily Thrillist email, and get your fix of the best in food/drink/fun.

Dustin Nelson is a News Writer with Thrillist. He's not a fan of any fishing that starts with a "ph." Follow him @dlukenelson.