SSST #27: Bait Shop: Google Docs

Phishing is one of cybersecurity’s most serious threats…and the one most preventable by users. Knowing what to look for can steer you clear of these traps that target your network and identity.

Since awareness is your best defense, I’ll occasionally focus on the latest (dirty) tricks of the trade here in a series called Bait Shop. This week’s spotlight is on a dangerous new scam that uses our reliance on Google Docs.

Google Docs is a popular platform run by a trusted tech giant – which is precisely what makes it perfect for phishing. Invoking Google’s good name earns trust from the targets, while hackers who reach out from Google’s system can avoid email filters designed to detect them.

So, this phishing bait uses HTML trickery to squat in a supposedly safe space while camouflaged to perfectly blend in — it’s like a stick bug if stick bugs were deadly!

The scam plays out like this: you receive a legitimate Google Docs invite linked to an actual Google Docs file location, where instead of the expected file, you encounter an HTML insert that mimics the platform’s appearance while prompting one more click:


That coded “download” link instead redirects you to a phishing site that requests your credentials to proceed:

You believe you’re verifying an account but have just given the bad guys your password. Game. Set. Match.

Like so many phishing attacks, it’s easy to fall for — which is why you have to remain hyper-vigilant. 

First:  ALWAYS THINK BEFORE YOU CLICK. If you receive a Google Doc invitation, take a moment to assess whether it was expected, who actually sent it, and what client/case it supposedly involves. If something smells “phishy,” seek confirmation.

Second: ALWAYS TRIPLE-CHECK BEFORE SUBMITTING CREDENTIALS. Whenever asked for a password, make sure you’re connected to the expected domain with a verified “lock” symbol in the address bar. Better yet, never submit a password on a landing page — instead, access the page/account independently through the host’s authentic URL.

Phishing attacks have become crazily sophisticated, and saving your skin requires very sharp eyes. Ideally, your team should be protected by the latest security tools and awareness training…but at least be careful and keep in mind that hackers can be disguised as anyone. 

Don’t take the bait! 

Tom Lambotte is the CEO and Founder of Security+, an all-in-one security solution for solo and small firm lawyers. They provide leadership and direction to transform law firm operations and boost profits by leveraging technology.

Tom’s methods are based on over a decade of research, testing, and real-world refinement of best practices, working directly with law firms. Tom is the author of Hassle Free Mac IT Support for Law Firms and Legal Boost: Big Profits Through an IT Transformation and has a forthcoming book being published by the ABA Law Practice Division titled Macs in Law. He is a highly sought after speaker at national events such as the ABA Techshow and MacTrack Legal.

Comments are closed.
_320343 - Stupid Simple Security Tips - A4 Landscape

Want to receive more
Stupid Simple Security Tips?
Sign up below.

FREE CHECKLIST

The Security Checklist for Busy Lawyers

The Security Checklist for Busy Lawyers

Check Your Email
For Your Free Checklist