Google Docs phishing scam affects 1 million people

Last week, a phishing scam that imitated Google Docs briefly thrived, affecting around a million Gmail users in a few hours.

The source of the attack was an app that, although unaffiliated with Google, called itself ‘Google Docs’. The cyber criminals behind it sent emails to people telling them that one of their contacts had shared a file with them on Google Docs.

If users followed the link, they were sent to OAuth’s authentication interface – which is exactly what you’d expect if you received a genuine email from Google. OAuth is a standard that allows Internet accounts at services such as Google, Twitter and Facebook to connect with third-party apps.

However, a closer look at the authentication page reveals the attack’s purpose. It asked to users for permission to “Read, send, delete, and manage” users’ Gmail accounts, and manage their contacts. Doing so would grant the criminals complete access to everything in the user’s account.

Google was made aware of the scam after the emails had been circulating for around three hours, and addressed the issue within an hour.

Attack spread rapidly

According to Google, 0.1% of Gmail users’ accounts were compromised before the spam campaign was shut down. This represents around 1 million people, based on Google’s 2016 earnings call, which announced that Gmail had more than 1 billion active users.

The scam meant the criminals could potentially access victims’ email archives and online documents – although Google denied any such information was exposed. However, the criminals were able to access the email addresses of anyone the user had corresponded with, and they used that information to spread the campaign rapidly.


The attack appears to have been possible because the ‘Google Docs’ app abused the OAuth protocol. OAuth doesn’t transfer any password information, instead using special access tokens. However, by agreeing to the permissions request, the user bypasses login requests and creates an OAuth connection.

Once users were on the OAuth interface, they would have only been able to know this was a scam by investigating the source of the app’s author, the so-called ‘Google Docs’. Clicking on the drop-down menu revealed that ‘Google Docs’ is, in fact, a random Gmail account, and granting the permissions would send users to a phony website.

Protecting against phishing attacks

Google advised concerned users to check their account settings for any third-party apps that may appear suspicious. They can also perform a Google security check-up.

It’s also generally advisable to take care when receiving emails that redirect you to another destination. Many phishing scams and malware infections begin with links or attachments sent by email.

If you’re an employer concerned about your workforce’s ability to recognise and respond to phishing emails, you should consider enrolling them on our Phishing Staff Awareness Course. The more that staff know about cyber security risks, the less likely it is that they’ll expose themselves and their company to a potential breach.

Additionally, many security regulations and frameworks, such as the PCI DSS and ISO 27001, require staff to be aware of corporate compliance requirements.

Find out more about our Phishing Staff Awareness course >>