Update: Google has issued a new statement, explaining that it's taking action to protect users against this phishing attack.
"We realize people are concerned about their Google accounts, and we're now able to give a fuller explanation after further investigation," a Google spokesperson told Refinery29. "We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup."
This story was originally published on May 3, 2017, at 4:20 p.m.
This afternoon, scores of people — mainly those who work in the media industry — reported receiving an email that looks something like this (this one's the one I got at 2:29 p.m.):
It's an invitation from an email address you've corresponded with (in my case, it was a friend of a friend with whom I've exchanged exactly one email) to view a Google Doc. What tipped me off to the fact that it was a scam? Mostly the weird multiple h's in the BCC field.
A Google spokesperson told R29: "We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail."
It's unclear exactly what the purpose of this scam was, but phishing is often used to gain unauthorized access to private emails, accounts, and information. But if you're worried about your own account security, you can adjust your permissions on Google's security page by clicking "manage apps" and revoking access to untrusted apps. And, of course, never, never click on anything that looks even the slightest bit "phishy."
Most of those who were affected first noticed the scam around 3 p.m.
Journalists being journalists, the phishing scam became an excuse to post meme upon meme.
The latest statement from Gmail is that it is investigating the scam.
"We are investigating a phishing email that appears as Google Docs," according to the official Gmail Twitter account. "We encourage you to not click through, & report as phishing within Gmail."