It goes without saying, but we’ll say it again: If a link looks fishy, don’t click. This is something everyone from teenagers to political campaign staffers should know by now, but the latest phishing scam indicates we all still have a lot to learn.
The attack is pretty simple. You’re sent a “Google Doc” from a contact to edit, and it takes you to what looks like your Google login screen. It, of course, is not, and once you fork over your name and password, off the scam heads to your contact list to repeat itself. It is fairly sophisticated, in that you have to dig to uncover that it’s a fake login, and it’s not really clear, just yet, what the goal is for this thing. Most likely, hackers are looking for passwords to try elsewhere, like your bank accounts, so if you use the same password in other places, you should go change it right now.
If you’ve already fallen for it, the good news is you can fix the damage. Go to the Connected Apps and Sites page for your account, find the scam, which is calling itself “Google Docs,” and revoke its permissions by clicking “Remove.” If you’ve got sensitive data saved under your account, like credit cards, you should alert your bank and of course alert your friends that it’s a scam. And, as always, the best defense is skepticism. If an email seems remotely fishy, follow up with your contact. It won’t kill them to resend the link if it’s legit.
(via The Verge)