• Tech
  • Scams

Everything You Need to Know About the Google Docs Email Phishing Scam

3 minute read

An alarming phishing scam began spreading around the internet Wednesday in an attempt to access Google accounts through an email embedded with a fake Google Docs file. This scam is more convincing than most — the email takes users who click on the file to a legitimate Google sign-in screen to grant permissions, so it’s no surprise to see widespread reports of the hacking across social media platforms like Twitter.

If you received the email or are concerned you might be targeted next, here’s what you need to know:

Who was affected by the Google Docs scam?

The phishing appears to have been aimed at journalists at first. News began making its rounds across Twitter after Joe Bernstein, a reporter at BuzzFeed, tweeted the following:

Because the scam appears to target everyone in the victim’s address book, it didn’t take long before more reports from people outside of the media world began to flood in.

What happens if you open the Google phishing link?

You don’t want to find out by clicking yourself. But Zach Latta, a San Francisco-based hacker, tweeted a GIF that showcases the entire process.

As the clip shows, clicking on the file actually brings you to a real Google sign-in page, where it asks users to choose an account to continue. If you grant permissions to the link, the email spams every person in your contacts, and the cycle continues from there. We don’t know what exactly happen after that, but it’s definitely concerning that hackers have access to all of this contact information.

The Google Docs email came from a ‘Mailinator’ address. What’s that?

Mailinator is a type of disposable email address service that lets users access emails on the Mailinator site without having to sign up for an account.

“Any email name you can think of already exists @mailinator.com and you can use any of them,” the official Mailinator site reads. “Want BrianTheSkink@mailinator.com? You got it. Want PrettyMothra? ScaryGavyn? No problem. Those and any other mailboxes you think of @mailinator.com are created when email arrives.”

One of the main advantages of using this service is that there is no connection to your real email address, making it difficult to track any emails sent from an Mailinator back to you.

What should I do if I opened the Google Docs phishing email?

As with any hacking case, you’ll want to immediately change your passwords to secure any sensitive personal information. Google is working to restore order, according to a statement it released in a series of tweets:

TIME will update this story if new information comes to light.


More Must-Reads from TIME

Contact us at letters@time.com