Everything You Need to Know About the Google Docs Phishing Scam

James Frew 14-05-2017

Google Docs has eaten away at Microsoft Office’s share of the productivity market over the past few years. Arguably better collaboration tools and a simple, cloud-based interface have made it a lot of people’s go-to word processor.


Sadly though, we keep getting shown that nothing on the internet is safe. Case in point: the Spring 2017 phishing attempt that spoofed Google Docs and abused Google’s OAuth system. How did the attackers compromise Google accounts? What data was lost? How would you know? Let’s take a look at what we know and how you can protect yourself.

The Attack

Over the past few days a lot of people began receiving emails that invited them to view a Google Doc. The email was very similar visually to a real Google Docs request, as well as a legitimate sounding subject line of “[Your Contact] has shared a document on Google Docs with you” — however, it did have a tell: the recipient was with your address only listed in the BCC field.

Not all email clients show the full email address by default and so many people had no reason to be suspicious and clicked on the request link. The link took you to a legitimate Google landing page for OAuth access. If you have multiple accounts signed in, it would ask you which account you wanted to use. Choose one, and you were presented with an authorization page with “Google Docs” asking for permission to access your account.

Although the Google Docs app used the Google Drive logo there was another sign that it was fake. Clicking on the app name reveals the developer details and rather than showing Google it was listed with a website of


Despite being able to spoof the Google Docs name, the real Docs does not require access to your account. Any such authorization attempts are fake and likely to be malicious. After being granted access to your account and contacts, the fake Google Docs app would proceed to send the phishing email to all of your contacts.

Since the attacker also requested access to “read, send, and manage” your email they may have also collected data from your emails. According to a statement from Google though, they believe only contact data was accessed.

The Fallout

While there was a lot of activity on social media of people reporting the phishing attempt, many were first alerted to the attack via a Reddit thread. It’s unclear if Google knew about the threat before, but it seems as though the first time it was addressed was when a Googler appeared in the thread and pushed it for escalation. The “Google Docs” developer was blocked from OAuth within half an hour of escalation which prevented the phishing attack.


According to a statement Google estimated that only 0.1 percent of Gmail users were affected by this attack. While that sounds small Gmail is estimated to have over a billion users, so this phishing attack may have affected over one million users. If the app was granted access to your Google account then it still has that access so you should head to your Google Account settings and remove any app named Google Docs.

The sites associated with the fake Google Docs app were mostly hosted on CloudFlare. Luckily the hosting company also acted quickly on this information, reportedly blocking all associated domains within ten minutes. However, any data harvested by the app may already be in the hands of the attacker.

The Solution

To remove the fake Google Docs app from access your Google account head over to your Permissions settings now and click Remove. While you are there it may be worth checking over all other apps that have access to your account and remove any unused or suspicious ones.


Google has also recommended performing a Security Checkup if you think you may have been affected by the attack. Even if you haven’t been, performing regular checkups is a good idea all the same.

Although there may be solutions that the tech companies can implement they often take a “whack-a-mole” approach and targeting each attack as it comes. There will always be people trying to convince you to divulge personal information — in the physical world they would be referred to as con men or scam artists.

The best defense you have is to know the signs of a phishing attempt. If either the recipient or sender email is an unusual, junk-sounding email address then you should proceed with caution. If you receive what you believe to be a phishing email then you should report it to Google.


oauth developer info

The OAuth page was problematic as it was a legitimate site, asking you to authorize a malicious app’s access to your account. There may be steps Google and others could take to prevent malicious apps from using spoof names, but in the meantime you can check the developer info on any of Google’s OAuth pages by clicking on the app name which should reveal more about its motives.

Protect Yourself

In what seems like incredibly serendipitous timing, the Gmail Android app was updated the same day as the Google Docs attack. The update alerts users when they click on a link to a suspected phishing email. It still wouldn’t have mitigated the Docs attack as it directed you straight to a legitimate Google authorization page.

A Trend Micro report highlighted this kind of attack only a few weeks before the Google Docs iteration. In their case it was an app called Google Defender, but the attack method was almost identical and linked to a group called Pawn Storm. Although Google has taken steps to prevent the Google Docs attack, there may well be similar attacks in the future.

Reading up on the ways to spot a phishing email How to Spot a Phishing Email Catching a phishing email is tough! Scammers pose as PayPal or Amazon, trying to steal your password and credit card information, are their deception is almost perfect. We show you how to spot the fraud. Read More is a great place to start though. Although it didn’t prevent the Google Docs attack, Gmail can actually help you identify phishing emails How to Avoid Phishing Emails in Gmail With One Trick There's a neat trick that Gmail users can use to avoid all kinds of phishing emails. Here's how you can take advantage of it now. Read More too. Protecting yourself from the latest attack can seem like a never ending job but it is definitely worth the effort to fight the security fatigue 3 Ways to Beat Security Fatigue and Stay Safe Online Security fatigue -- a weariness to deal with online security -- is real, and it's making many people less secure. Here are three things you can do to beat security fatigue and keep yourself safe. Read More .

Were you hit by the Google Docs phishing attack? Or did you get an email from someone who was? Would it stop you using Google Docs in the future? Let us know your thoughts in the comments below.

Image Credit: wk1003mike via

Related topics: Google Docs, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Galit Zamler
    August 7, 2017 at 8:50 am

    I may be biased, but the Chrome extension Scam Block Plus can also help detecting such phishing scams.

    • James Frew
      August 7, 2017 at 8:58 am

      Just to clarify for other readers - I see that you are the maker of Scam Block Plus - a Chrome extension that will open links you click on in a "shielded tab" if the URL isn't on a global white list.

      I have to admit to not having heard of your product before, but would like some clarification on the mechanisms behind it. I'm also curious about data collection - your privacy policy states that you do not collect any user data at all. I assume this means that there are no analytics being performed and that the whitelist is downloaded locally and all links are parsed only within the user's browser?

      • Galit Zamler
        August 7, 2017 at 11:24 am

        As we state in our website, ScamBlockPlus collects absolutely nothing about our users not even their IP adresses . The global trust-list is periodicaly downloaded from our servers and stored in the browser cache. This is necessary because whenever a webpage or an iframe is loaded the extension must decide wethere the displayed domain is trusted or not before any JS code in the page is executed and this must happen without delaying the page load. Thus the decision must be made locally.
        You have't heard about our product because it is new.
        It is the only tool that actually block phishing.
        It is free for personal usage (not for business employees).

        • James Frew
          August 7, 2017 at 12:16 pm

          Thanks for the extra information!