What You Need to Know About the Recent Google Docs Phishing Scam

The Ultimate Guide to Google Drive Security for Admins

The Ultimate to Google Drive

Did you receive a strange Google Doc share recently in your inbox? We did.

Phishing scams are getting more sophisticated on a daily basis, thus making them harder to detect and avoid. With the abundance of file sync and share platforms, scammers are impersonating these services and sharing fake documents or folders in an attempt to infect your computer.

If you aren’t well-versed in the latest phishing scams, here are some important tips for you.

First of all, if you receive an email that looks like it may be phishing, check the dropdown arrow under the sender’s name to see additional details. You will see a section labeled “signed-by.” This field can help determine if an email was shared securely from a service.

The goal is to determine if the signed-by field was generated by a DomainKeys Identified Mail (DKIM) or a service. A DKIM attaches a domain identifier to the signature to display an email generated by a user in the domain. For example, if you received an email from name@backupify.com, you would see a DKIM in the signature that looks like this: backupify-com.20150623.gappssmtp.com. This is how all emails through a domain are processed.

Emails shared through a service (e.g., Drive, Calendar, Dropbox, Box, etc.) do not have a DKIM. Instead, you would see the signature of the provided service. If something is shared through Dropbox, for example, you would see: signed-by dropbox.com.

Below is an example of a secure file that was shared through Google Docs:

Note the “mailed-by” section is signed by a service.

Now let’s look at the phishing email that was sent out to millions of inboxes last week:

Aside from the giant red banner warning, you can tell this is risky because:

  1. It was a shared file that was BCC’d and not shared privately from the service.
  2. Note the suspicious “to” address: hhhhhhhhhhhhhhhh@mailinator.com
  3. The email has a very generic subject.
  4. The signed-by field is sent from an email and not the service (a service would be: bounces.google.com or something.dropbox.com). The mailed-by field should also list the service it is being sent from.

If you receive a file and it is not signed by google.com, gmail.com, dropbox.com, it is likely phishing, so DO NOT OPEN IT. Much like dealing with ransomware, it’s important to remain vigilant and operate with caution in these circumstances.

To learn more about the ransomware epidemic and how you can avoid it, head over to Backupify’s resource section and check out our Ransomware and G Suite eBook. It explains which devices are affected by ransomware, why you may want to block email attachments, how to choose different settings for different users, and more.

Get the best tips and tricks in your inbox daily