Disclaimer: This news item was originally posted on Wednesday, May 3, 2017. Its content may no longer be timely or accurate.

ITS Alert: Phishing attempt spoofs Google Docs 05.03.17 - UPDATED 05.04.17

Posted: 15:10:28, Wednesday, May 3, 2017   Expiration: 15:10:28, Wednesday, May 10, 2017  

The ITS Help Desk has received numerous reports of a phishing message claiming someone has shared a Google Doc with you. You are then instructed to "Open in Docs", which takes you to a Google Docs page that may display your own Google accounts.

UPDATE 05.04.17

Google reports that it has fixed the problem and continues to monitor the extent of the hack. Message details are listed below in the original post.

What should I do if I still have the email?

If you find this email in your Inbox, please delete it.

What if I clicked the link and logged in?

If you believe you may have compromised your Gmail account, follow these steps to remove the fake app's permissions:
  • Go to Google's account management page
  • Sign-in and Security
  • Connected Apps
  • Click "Manage Apps" to see a full list of apps and permissions
  • Find "Google Docs". If it is not there, you are probably safe.  If you see it, remove the permissions. NOTE: While you're in there, you may also want to take the opportunity to review permissions to other apps connected with your account and clean house!
At this time, it does not appear as though the attack captured login credentials; however, changing your password never hurts. Remember, using a completely different password for each of your accounts reduces your risk in the event one of the accounts is breached.

In addition, Google has posted a link to a general Security Checkup within Gmail accounts. You may want to take a moment to check it out.


Subject: [name varies] has shared a document on Google Docs with you. This attack appears to have come through the public school system. So far, sender displays as various gmail.com or .edu accounts; there could be others. Messages are not addressed to you. 
  • If you receive such an email from any sender, please DELETE immediately.
  • If you believe the email may be legitimate (i.e. you are expecting a document), please CONTACT the person via phone or new email to verify BEFORE opening the message - or ask them to resend the share request.
  • If you clicked on the "Open in Docs" link and logged into any of your gmail accounts, CHANGE YOUR GMAIL PASSWORD(S) AND YOUR UWPLATT PASSWORD IMMEDIATELY and contact the ITS Help Desk.

How can I tell if a message is not legit?

We've mocked up real-life examples in the ITS Knowledge Base, including today's attempt.

If you have questions regarding this phishing attempt, please contact the ITS Help Desk at 608.342.1400 or helpdesk@uwplatt.edu.

-- UW Platteville: Deb Meyer

Created: 10:13:01, Wednesday, May 3, 2017 (by Deb M.)
Updated: 08:45:33, Thursday, May 4, 2017 (by Deb M.)