Internet users in Minnesota, across the country and possibly internationally were warned Wednesday about a Google Docs scam that was flourishing thanks to a simple click of a computer mouse or touch pad.
The scam came in the form of an e-mail message with the subject line saying someone — known or unknown — “has shared a document on Google Docs with you.” It invited the user to log onto their Google accounts to join the shared document.
By clicking on the link in the e-mail, users granted a third party — the scammer — access to their account data. Then, with access to the user’s contacts, the scammer invited everyone in their address book to do the same, multiplying the damage exponentially.
By late Wednesday, Google said the issue had been resolved.
What made the attack so tricky to detect was that it took advantage of Google’s legitimate tool for sharing data with responsible third-party apps. Since the bogus invitation was routed through Google’s real system, nothing was misspelled, the icons looked accurate, and it was hard to know something had gone wrong until it was too late.
Businesses, schools and organizations throughout Minnesota sent legitimate e-mails to their employees, customers and clients to warn them of the scam. Most said to delete the e-mail without clicking on the link. Some even warned users to hold off on any Google Docs usage for now.
The Bloomington public schools was just one of the institutions that sent warnings:
“Please be aware of a Google issue currently affecting all users of Gmail and Google Drive: Our staff and students are receiving e-mails entitled “[Name] has shared a document on Google Docs with you,” the note said.
“We believe this is a larger compromise of the Google API (technology that interconnects Google services) ... Google reports investigating an internal Google Drive issue that we think is associated. More information will be shared as we receive it.”
Students at New York University and even workers at the U.S. Agency for International Development received warnings from internet technicians not to open the e-mails.
Similar assaults using Google Docs as the lure have popped up several times before, dating back to 2013.