Why the Google Docs Email Scam Was Such a Sophisticated Phishing Attack

google docs phishing scam response
A man checks his mobile phone next to an illuminated panel at Google stand during the Mobile World Congress in Barcelona, Spain, March 1. Google shut down a sophisticated email scam on Wednesday. REUTERS/Paul Hanna/File Photo

Updated | Google has shut down a sophisticated email scam that involved a deceptive invitation to view an online document, but only after it reached more than one million people’s inboxes.

The phishing attack first appeared on Wednesday and Google claimed it was able to shut it down “within approximately one hour.” Google said the attack only accessed contact information.

The scam was notable for its sophistication, appearing in Google’s own system, rather than in a fake website. It impersonated Google Docs—a cloud-based platform for sharing and editing documents—by telling a user that a contact had shared an online document with them via email. By clicking on the “Open in Docs” button, in the email, users were directed to a page hosted by Google within its “Drive” system, requesting login information. This allowed hackers to potentially access the user’s account.

“We have taken action to protect users against an email impersonating Google Docs and have disabled offending accounts,” Google said in a statement. “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”

Cybersecurity experts tell Newsweek that the scam was unusual for a phishing attack, which usually only involve a malicious link within an email.

"Someone created a malicious app in the system by the name of Google Docs,” says Travis Smith, a senior security researcher at security firm Tripwire. “While it had an official sounding name, it was far from it.”

Most phishing attacks take a user directly to a fake domain, which is more easy to spot. “Since the awareness of phishing campaigns has been rising over the years, criminals have to increase their tactics to levels such as spoofing official apps such as Google Docs,” says Smith.

“Not only does this have a casual appearance of being legitimate, by being part of the official marketplace the link in the email went back directly to legitimate Google servers,” he adds. It was particularly notable he says because it passed two of the common techniques most internet users use when deciding whether or not to click a link—does it come from someone you trust? And does the link go to a trusted source?

Correction: Due to an error in the press release, this article originally attributed quotes to Tyler Reguly, a manager at Tripwire, rather than Travis Smith, a senior security researcher at the company.