You expect Google Docs to be a safe way to store documents in the cloud and collaborate with other people, but it’s also apparently a haven for scammers. Some people are using the service to run phishing scams, tricking people into revealing sensitive information.The way these scams work is that you get an email saying that you need to reset your password on some service, and are then directed to a site that usually looks quite convincing, often borrowing the legitimate site’s logo. Really smart scammers will register a domain name similar to the one whose users they’re targeting. Users are then directed to fill in their account information, such as their user name and password. Often, they’ll also ask for information that most online services never ask for, such as Social Security numbers. If you haven’t figured it out already, it’s an attempt to steal your identity. Scams like these are also a classic example of social engineering, posing as someone in authority and convincing people to give up important account information.
Google Docs is a great tool for letting people work on documents together, and it’s becoming increasingly important for real businesses because it offers a central place to store documents. Scammers are starting to use the service because it allows users to create forms easily, without having to know HTML or any other Web development technology. The Google name also seems to offer some people a sense of security. If Google’s hosting it, they think, it must be okay. Users who know to check the little lock icon to make sure a site’s legit may be fooled, because Google itself has been vetted, even if the document being used is created by a malicious user intent on stealing people’s identities.
I’m sure Google will start cracking down hard on these scammers, but it’s always good for end users to employ a little common sense. Nobody from any company will ever ask you for your password, and big companies probably won’t use Google Docs for changing passwords or any other information.
Have you ever had a run-in with a phishing site? Tell us about it in the comments.