A number of users today have received a phishing email claiming to be an invite for Google Docs. This scam is particularly nefarious as it comes from a known contact who’s had their account hijacked, with the app attempting to send more phishing emails using your account.

Nintendo Switch

The phishing email is modeled after the actual Docs “Invite to request” message, but is slightly different. Tapping the “Open in Docs” link takes users to the official Google dialogue box for granting third-party apps access to your account.

This app is deceptively named “Google Docs,” though tapping the drop down for more info reveals a random Gmail address. This app asks for permission to “Read, send, delete, and manage your email” and “Manage your contacts.”

Those who grant it access will result in the app sending more phishing emails to your contacts.

For those who have already granted the app access, quickly head to Google’s apps permission page and find the one named “Google Docs” and press remove. The fact that third-party apps are allowed to use “Google” in their name seems like a major flaw on Google’s part.

It appears that Gmail’s spam filters are already marking the message as spam, with the official Twitter account advising users to not click on the email.


Update: In a statement, Google notes that it has “disabled offending accounts” and implemented other security measures to protect users.

We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.


Update 2, 7:30 PM: After further investigation, Google has issued another statement with more details. Fewer than a million Gmail users were affected, with the campaign stopped “within approximately one hour.” While the app was able to “Read, send, delete, and manage your email,” it only accessed contact information and “no other data was exposed.”

“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

About the Author