LOS ANGELES— Quick warning: if there's an e-mail in your inbox asking you to open a Google Docs from someone, and you don't know who it is, don't open it.
It's probably a phishing email disguised as a contact attempting to share a file from Google Docs, says Google.
The email appears to come from someone inviting the user to share a document. The sophisticated email looks very similar to one sent by Google, but appears to come from an individual Gmail account. Look closely and you'll see the difference between bogus and fake.
Google released a statement Wednesday, saying it had taken action to protect users against the impersonating email, and have disabled offending accounts. "We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
The bogus e-mail sent to this reporter, recovered from the email trash folder, had been updated with a warning message from Google: "Be careful with this message. Similar messages were used to steal people's personal information. Unless you trust the sender, don't click links or reply with personal information."
When users click on the file, the fake Google Docs will seek permission to access your account. Users who click on the link and follow through with the process should go to Google's account permissions to deny access.
Fatemeh Khatibloo, an analyst with Forrester Research, says she hasn't seen such a widespread example of a Google Docs scam like this before, because Google has the resources to shut it down really fast. "Email service providers can't move as swiftly, plus the phishing isn't happening entirely in their ecosystem, which is why email phishing is so much more prevalent."
Phishing is a common tactic used to gain access to a user's login credentials. In most cases, users are asked to click on a link, then provide account details to access the information provided. However, the process provides the user's credentials to the attacker, allowing them access to email accounts, social networks like Facebook or other platforms.
Best practices: if you receive an e-mail of this type and don't know the sender, don't open it, period.
"Always be skeptical," says Khatibloo. "If you're not expecting a document from someone, or get a strange email from them, drop them a text message or start a new email chain to them. Don't grant access to your accounts without checking to make sure the app was made by the company it says it was. And make sure you're running good malware protection on your devices — it wouldn't have stopped the phishing scam in this case, but it's a good line of defense to have on your side."
© 2017 USATODAY.COM