If your spouse emails you a link to a document, do you open it?
Most people, no matter how security-minded they may be, would probably open up any email their spouse sent them. It’s someone they know and trust, so they’re not going to email something dangerous, right?
Well all it took was one ingenious hacker to exploit that very notion. The Google Doc phishing scam spread like wildfire through the internet: first attacking educators, then parents, journalists, and even government officials. Although many fell for it, word spread quickly, and Google was able to disable the program within an hour, according to a press release. But how was it that this scam was able to spread at all?
Unlike other scams that often filter into your spam folder or are blatant about their malicious intent, this scam traveled through an application that mimicked the appearance of Google Docs. When the link was clicked, it would request access to the rest of your Google account (including the ability to send and receive messages, and see all your contacts). It would then send out the same message to all of your contact list, making it look like you sent the message (with the hacker’s email listed as a CC — this stands for carbon copy, which is when multiple people are included in an email). It’s like the worst sort of chain-mail: the kind you can’t control and steals all your personal information while it’s spreading.
So what does this mean for personal and business security? It’s fair to assume that hackers will get smarter over time and scams will become increasingly harder to detect. How can small businesses protect themselves from potential threats like this one? Here are some tips to help you keep your guard up against potential security risks.
As a small business owner or manager, you have access to some very sensitive data within your company. Although it is hard to put a price on data, it is safe to assume that even the smallest piece of information — employee social security numbers, bank accounts, credit card transactions, you name it — can be seen as extremely valuable to potential hackers. If your business puts value in that data, chances are it will become a target for phishing scams.
Although small businesses might not be as big of a target as corporations are, they are often seen as easier to infiltrate. Small businesses don’t often have the money needed to maintain high-level security, or don’t have technicians on call for when breaches occur. In addition, many small business employees are not trained on basic security measures, which opens up multiple access points for hackers to get into the system.
This is why it is so important to buckle down and be aware of email threats and understand why the Google Docs scam was especially significant. It’s easy to fake someone’s email — if you know what you’re doing — and hackers are exceptional at finding ways to trick everyday email users.
When you’re checking your emails, keep an eye out for some basic red flags.
- Does the email come from a trusted contact, and is anyone else included in the email? Check the CC to determine if any unfamiliar email addresses are included, or if the email was forwarded from another user.
- Does the email have an attachment? Never click an attachment that comes from an unknown user, or that does not include an explanation from the sender. In the Google Docs scam, the “fake Google Docs” attachment was sent without a body in the email, which should have been a major red flag that something was amiss. Attachments can also contain Trojan Horses or other types of viruses that can expose your data. Always be wary about attachments, even from trusted sources.
- Additionally, be wary of the applications that might be linked through your email. For Gmail users, this includes Google Docs, Google Sheets, and Google Slides, as well as anything else that might be downloaded through Chrome Extensions. When you first download these applications, they will ask you to grant access to certain parts of your account (such as your contact list, documents, and images — or more personal information, like birthday, name, username, and passwords). When those applications ask permission to view information, make sure it’s not sensitive or potentially dangerous to share. With the Google Docs scam, it asked users for complete access to their email account (allowing it to send, receive, delete, and manage all aspects of gmail for that user). This is a major red flag, but we oftentimes forget to read the fine print before we hit the “ALLOW” button. Instead, when permission screens pop up, read everything on the page to make sure you’re not exposing your business or yourself. To double check your permissions, go here.
- Never click on links within an email from an unknown user, and always double check the URL of the link by hovering over it before clicking it. If the link says “this article from Fortune Magazine” but the URL is “fortune.us/spam” which is not the actual website for Fortune Magazine, then it might be obvious that someone is trying to trick you into clicking the link. Sometimes the landing page of the site (aka: the page where the link sends you) will look dangerously similar to the site they are trying to mimic. As the US-CERT describes in their pamphlet on email scams, this method is common for those trying to steal bank account information. Always double check the URL.
- Lastly, it’s important to check all the potential signs of a malicious email. Is there a subject line, forwarded content, or a body to the email? Is the message sent to you directly, or was it sent through multiple people before it came to you? Are there other random people (email addresses that look fake or spammy) included in the email chain? Going through a checklist like this can prevent you from falling victim to any future scams that might pop up. The Google Docs scam was an ingenious one, but cautious and security-minded individuals were able to catch the red flags by making a checklist like this for themselves.
Sharing is Caring (and Smart)
Small businesses might not pose the same risks as multi-million dollar companies, but they still offer plenty of opportunities for information to be stolen by clever hackers. This is because small business employees all provide hackers with potential openings into the business.
As the Collat School of Business at the University of Alabama, Birmingham, notes, the best defense against potential hackers is for everyone within the business to be on the same page when it comes to security. UAB found through its study that the majority of big and small company data breaches happen because of employee negligence. Using personal phones or devices, not deleting information, and sharing passwords (or using cookies to remember passwords), all open up vulnerabilities to a company’s main system.
The best way to counteract this is through education. Creating a written policy, as well as conducting security awareness training for all employees, can help prevent mistakes from happening and guarantee that your business has a security-minded team protecting it. When you read articles like this, or are made aware of potential risks going around on the internet, let your team of employees know so everyone is on the same page. Being overprotective never hurts, but not raising awareness can lead to data breaches and problems down the road.
If you fell victim to the Google Docs phishing scam, don’t beat yourself up too much; it was a clever attempt at gaining access to gmail users, and it fooled quite a few people. Do, however, let it be a reminder to you to always stay alert. The internet is full of wonders and terrors. Stay vigilant, and your business will stay secure.
About the author:
Katie McBeth is a researcher and writer out of Boise, ID, with experience in marketing for small businesses and management. Her favorite subject of study is millennials, and she has been featured on Fortune Magazine and the Quiet Revolution. She freelance writes during the day, and snuggles with her three cats and dog at night. You can follow her writing adventures on Instagram or Twitter: @ktmcbeth.