A phishing email and a website masquerading as a legitimate Google service targeted thousands of people Wednesday, hoping they would supply personal information and spread the scam to others.
The scheme appears to take advantage of technology that the search engine giant makes available to any website allowing people to log in to them with their Google username and password. The websites can get access to information people store with Google, including their contacts.
In Wednesday’s scam, a sham website was labeled “Google Docs,” confusing people who believed they were on the real document-writing and -sharing platform. Instead, the fake Google Docs uses the newly gained list of contacts to send spam.
We are investigating a phishing email that appears as Google Docs. We encourage you to not click through, & report as phishing within Gmail.— Gmail (@gmail) May 3, 2017
Recipients may think a contact is sharing a Google-stored document. But clicking the link opens up the fake Google Docs website, further spreading the ploy. One way to know whether you have received a fraudulent Google Docs link: the “to” field in the phishing e-mail shows the address firstname.lastname@example.org.
It’s unclear whether the scam is harvesting any information from duped consumers or why Google approved a business bearing its name to use the technology.
Google responded only with a statement that said: “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”
People caught in the scheme can remove the scammers’ access to their Google accounts in their account settings.
2:35 p.m.: This article was updated to include a statement from Google.
This article was originally published at 1:50 p.m.