What happened?

On May 3, 2017, Google confirmed that a crafty phishing email disguised as a Google Doc invite was actively targeting Gmail users.

Experts noted that the sophisticated nature of this phishing campaign is what made it so tough to detect. The scam managed to affect 1 million accounts before Google was able to address the threat.


If you were a victim of this phishing scam and think your account may have been affected, follow these tips to protect your account:

  • Revoke the attacker’s access in your Google Permissions settings. Only the malicious Google Docs app will appear in this section – deleting it will not impact your legitimate Google Doc services.
  • Change your password. This can prevent hackers from accessing your account again in the future.
  • Turn on two-step verification. Enabling this feature adds an extra layer of protection to your account by requiring more than one form of verification to access your account.
  • Run a Google Security Checkup. Google’s security feature will verify that your account is only accessible to you.

Phishy Business

This fake Google Doc was different than other phishing emails because hackers used a legitimate Google permissions feature to gain access to accounts. Affected users received an email that invited them to view a fake Google Doc. If the link was clicked, victims were redirected to a real Google page requesting account access to the fake app.

Unlike traditional phishing tactics that focus on stealing passwords, hackers were given direct access to victims’ accounts without needing to first obtain user logins. Hackers took advantage of Google’s legitimate security mechanisms by using real Google pages, making the scam nearly impossible to detect.

The phishing ploy gave hackers full access to victims’ email accounts – including email history and contact lists. Hackers quickly triggered password reset requests on other sites, like online banking, social media and online shopping websites, that had accounts associated with the compromised Gmail addresses.

View the tweets below to see how this scam works:

Phish Meets Worm

Another component of the Google Doc phishing email was that it appeared to come from someone in the victim’s contacts. However, a closer look reveals that while the sender name appeared to be a known contact, the email address read “hhhhhhhhhhhhhhhh@mailinator[.]com.”

The fake app was a malicious program known as a worm, which was programmed to replicate itself and continue the attack through a victim’s contact list. Once inside, the worm quickly sends fake Google Doc emails to the victim’s contact list – increasing the reach of the malicious email to more Gmail accounts.

Google resolves threat

Google stated that it had resolved the issue and that no other Gmail users were at risk. However, it’s an important reminder to double check that the sender name and associated email address match. Furthermore, never click on links or interact with suspicious emails — it’s best to delete them immediately.

Keep following Fighting Identity Crimes to stay up-to-date on the latest breach and scam news, as well as relevant tips from our industry experts to help continue protecting your identity.