Don’t trust that Google Doc. Don’t believe that too-good-to-be-true coupon. Don’t get duped.

A series of sophisticated identity phishing scams have been circulating the web this week, with the worst being a massive Gmail attack on Wednesday.

Many of Google’s roughly 1 billion Gmail users were sent a malicious message that appeared come from one of the users’ contacts, which asked them to open a Google Doc. This imitated the usual invitation to let someone access or edit a document, and it wasn’t asking for your password.

Seemed innocent enough. But if you clicked on the “Open in Docs” box and allowed access to your account, you exposed your Gmail to the attacker – as in, granting permission to read, send and delete emails, and even manage your contacts. So that allowed the still unidentified attackers to then forward the phishing email to everyone on your contact list and spread the data-mining worm.

“We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” Google said in a statement on Wednesday . “We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again.”

One tip-off that something was phishy on these unsolicited invitations is that the only return address is from “hhhhhhhhhhhhhhhh@mailinator.com” in the BCC field. So if you see an unsolicited Google Docs invitation coming from this address, do not click on it. And if you receive a Google Docs invite from someone you weren’t expecting to message you, do not click on it.

But here’s what to do if you already did:

  • First, visit g.co/SecurityCheckup, where you can review your security settings, change your password, and see what devices are connected to your account. If anything looks suspicious, change your password.
  • Next, turn on 2-Step Verification, which makes it harder for someone else to hack into your account. After assigning your Google account to a specific computer (maybe your home or office), logging in from another computer will require a second step. You’ll enter your password as usual, but then a code will also be sent to your phone by text, voicemail or through the mobile app, which you’ll have to enter to access your account.
  • Revoke the spammers’ access to your account by going to your permissions, finding this “Google Docs” app, and removing it if it’s there.
  • Change your password, if you haven’t already, and make it something you have never used before and that isn’t shared on other online accounts, like your bank or social media.
  • Finally, report the incident, or any future suspicious emails, by clicking the downward arrow at the top right of the malicious message and selecting “Report Phishing.”

Cisco’s security business Talos warns that the success of this attack could inspire similar creative phishing scams on other popular web services, so stay alert.

“It will likely be heavily copied almost immediately … Two likely candidates are Facebook and LinkedIn,” they wrote in a blog post. “Users must be very careful what they click on, particularly when it involves passwords or granting permissions or access of some kind. If in doubt, reach out to the sender of the attachment or link using a means other than email to verify the integrity of their email.”

And buyers beware: A couple of fake Mother’s Day coupons from Bed Bath & Beyond and Lowe’s Home Improvement have also been making the rounds on social media.  

The dubious discounts include a $75 off in-store coupon for Bed Bath & Beyond circulating on Facebook, which the home goods store confirmed is a fake. Clicking on it led shoppers to survey that asked for information like email addresses, phone numbers, birthdates and credit card details that seemed harmless, but are very sensitive. It also encouraged them to share the phony coupon with friends on Facebook.

We know some of our customers are excited about this $75 offer circulating on Facebook. However, we all know some things…

Posted by Bed Bath & Beyond on Friday, April 28, 2017

Similar scams have also targeted Lowe’s, Home Depot, Costco, Amazon and Kroger shoppers. “These offers are a phishing scam to gather information and are not affiliated with Lowe’s in any way,” Lowe’s recently responded to a Facebook user wondering if $50 and $100 online coupons were legit. They were not.

The Better Business Bureau offers these tips to outsmart Facebook scammers.