Lessons From the Google Docs Scam
Why professionals need to be ever vigilant to cyber risks.
The recent Google Docs phishing scam that sent emails to many professionals highlighted the need for professionals to always be vigilant and ready for a new scam that may not have been seen previously. Professionals have been the targets of scam artists for years, and scams have been presented in many forms. Scammers will usually keep using a current scam until professionals and law enforcement become savvy to a particular method.
While it is important for professionals to learn about all past and recent cyber and social engineering scams, it also is necessary to be on the lookout for new fraud scams and exercise a healthy dose of skepticism that something is not as it appears, especially when it comes to emails and internet transactions and communications.
Cyber and Social Engineering Fraud Scams
In an October 2015 Fortune article, “How This CEO Avoided Getting Conned in a Wire Fraud Scam,” author Robert Hackett says that in the United States alone, the Federal Bureau of Investigation reports that as much as $750 million have been lost to wire fraudsters. Additionally, in a PLUS webinar on Sept. 1, 2016, entitled, “Quite a Catch! Phishing for ‘Social Engineering’ Fraud,” Peter Hedberg and Jonathon Meer reported that social engineering fraud resulted in nearly $1 billion in losses in 2015. The same presentation also reported that there were $5.9 billion in losses based on nearly 450,000 phishing attacks in 2014.
While hacking into professionals’ computer systems is still a legitimate risk, professionals often inadvertently have allowed scam artists access to even the most protected computer systems through phishing scams. Phishing scams typically involve an attempt to trick a professional into clicking a link that installs malicious software or malware on the professional’s computer.
The attempt to gain access to a professional’s computer system can come from a link contained in an email or on a website. Many scams involve information to entice the professional to click the link, such as a purported disciplinary complaint, a request by the IRS or other government entity, or an email from a client.
Once allowed into the computer system, scammers can take full control. This control can include monitoring the email traffic to learn enough details of an ongoing transaction to commit a wire fraud scam.
Wire fraud scams have been used against nearly all professionals who wire funds as part of their operations. Examples of wire fraud scams include real estate attorneys and real estate agents wiring purchase funds; property managers paying outside vendor bills; and accountants managing trust funds.
As we have seen recently with the “WannaCry” ransomware attack in May, scammers also can encrypt professionals’ systems and data on their servers to prevent the professionals’ access to their own computer files. Typically, the professionals will then receive a ransom request from the hacker requesting money to be paid in exchange for releasing the data.
Even after a ransom request is paid and the data released, professionals have to take steps to prevent hackers from freezing all of the data again in the future. Additionally, there is always the devastating risk that the hacker will delete all of the data if the ransom is not paid.
Why the Google Docs Scam Was New
The Google Docs scam involved emails that appeared to be legitimate invitations to view Google Docs. The emails then prompted recipients to give access to a third-party app called “Google Docs.” The emails typically came from someone known by the professional (client, friend, or entity) and usually included something like “[Client X] has shared a document on Google Docs with you.” The emails may have also contained a “CC” to a fake email address, such as firstname.lastname@example.org.
This app was not the genuine Google Docs created and maintained by Google. If granted access, the scammer likely gained the ability to read, send, delete, and manage all of the recipient’s emails and contacts. This may have allowed the scammer to spam anyone the professional has ever emailed. The scam caught professionals unaware as previous scams had not involved Google Docs. Typically, Google had been able to shut down potential scams before they affected professionals.
Google released a statement that stated it had taken action to protect users against the fraudulent email and had disabled the accounts from which the email was issued. Google added that recipients should not click the link and report the email as phishing directly to Google.
Best Risk Management Practices
As long as professionals continue to fall for social engineering and phishing scams, they will continue to be targeted by scam artists. The scammers are constantly altering previous scams and creating new ones, like the Google Docs scam.
It is difficult to exercise enough caution in today’s email culture. It is crucial that all professionals make themselves aware of all current methods and cyber scams. Professionals can review common scams and learn about techniques to reduce their risk of being scammed by visiting the FBI’s website.
Since the data on computer systems often includes highly confidential data and information of clients, it also is necessary for professionals to take steps to protect their computer systems with virus protection and strong passwords. Be skeptical of all emails, even those received from known parties.
If there are last-minute changes to a transaction or something seems not quite right, then the professional should double-check before going forward. If a professional has not requested an email from someone, then he or she should not click on any links contained in the email. It is better to call the sender first and ask to confirm before clicking the link. Professionals should be sure to use the contact information they have for the sender, and not the contact information contained in the suspicious email.
Social engineering and email scams will continue to evolve and adapt as professionals become savvy to the most current scams. By making themselves aware of all potential scams in any scenario, being vigilant, and exercising best practices, professionals can go a long way to avoiding becoming the victim of a costly and professionally troublesome fraud scheme.