Google Docs users noticed a nasty new phishing email from Mailinator on Wednesday.
A sinister email is making the rounds in which the sender—someone you know, in some cases—invites you to click on a Google Docs link. People who click on the link can get pulled into a world of trouble, so, do not click the link. Just delete the email.
The nasty new email, which appears aimed at journalists, began to surface on Wednesday. Several colleagues at Fortune sent me the emails they received. Here’s a screenshot of what it looks like in your Gmail inbox (I blacked out the sender names) :
The email, of course, isn’t actually from who it says it’s from, but is instead a phishing email intended to trick you into clicking a link. What happens next? You don’t want to try and find out yourself, but a hacker named Zach Latta has helpfully posted a GIF to Twitter that shows what happens if you hit „Open in Docs.“
As Latta’s demo shows, the whole thing is a ruse that will give the keys to your entire Gmail account to whoever is running the phishing campaign. As a certain President might say, „Bad!“ If you want to imagine the worst case scenario, just recall Democratic National Committee head John Podesta, whose had his entire email correspondence leaked after he fell for a similar Gmail phishing scam.
Fortune has contacted Google to ask about the nature of the scam, and who may be behind it. The company has yet to reply, and has only posted this (not very helpful) tweet:
Scams targeting Google accounts appear to becoming more common in recent months. As my colleague Robert Hackett reported in January in the article Everyone is falling for this frighteningly effective Gmail scam, hackers (usually posing as a trusted contact) have been sending around booby-trapped documents that look like ordinary PDFs.
Meanwhile, older versions of the scam have seen the hackers posing as members of the Google Docs team.
If all of this feels frightening, well, it sort of is. But there is a very good way to protect yourself. If you haven’t already, make sure you have two-factor authentication set up on your Google accounts.
Doing will help ensure that, even if hackers do trick you out of your password, they will likely be unable to use it. That’s because the two-factor system will ask for a second code (usually a code sent by text message) if Gmail detects someone is trying to log-on from a strange computer. You can sign-up for Google’s two-factor here.
Finally, if you did click on the nasty link, you can go to your Google account settings here, which will allow you to revoke access to apps—including the fake Google Docs one.
