Don’t be this guy. Photo: Getty Images

A very convincing Google Docs phishing scheme is racing around the internet right now, which means you should avoid clicking any weird Google Docs that have been emailed to you recently — even if it’s from someone you know. It’s spreading incredibly quickly:

Phishing (or malware) Google Doc links that appear to come from people you may know are going around. DELETE THE EMAIL. DON'T CLICK. pic.twitter.com/fSZcS7ljhu — zeynep tufekci (@zeynep) May 3, 2017

holy crap i just got emailed the same phishing google doc by five people on my gmail — YesHugz (@HugoKitano) May 3, 2017

PSA: do not open a weird google doc email from me, it's a virus/phishing scam. Sorry I was hacked! — Anna Brower (@ab2788) May 3, 2017

Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX — Zach Latta (@zachlatta) May 3, 2017

If you click the link, it asks for some access permissions to your Gmail account (which actual Google Docs links would not need), and then spams everyone in your contacts with a link to a Google Docs file. They, in turn, email everyone in their contacts, and so on. All of them seem to include the email address “hhhhhhhhhhhhhhhh@mailinator.com.”

What exactly the phishing accomplishes in unknown, but there’s an excellent explanation of how it works on Reddit:

It’s not the first time Google Docs has been used like this. There were widespread Google Docs email scams in 2014, 2015, 2016 — if you stare hard at those numbers, you can almost see a pattern forming. This one does seem to be more subtle and advanced; it only asks for permissions, not that users enter their password. It’s also widespread — hitting media organizations, technology companies, and entire schools:

If you receive an email from Central Lutheran that says "Open a Google Doc" Do not open email. Just delete. It is a phishing scheme. — Central Lutheran (@clschargers) May 3, 2017

COACHES: Do not open emails with Google Doc attachments! Gotten 40 scam/phishing emails from hacked accounts in last 3 minutes. — Travis Wilson (@travisWSN) May 3, 2017

#gsuite messages going around our schools with a fake Shared Google Doc #Phishing link. Looks like it installs an extension? — Eric Simmons (@ersimmons) May 3, 2017

Is there a new phishing attack? I've just gotten 3 emails to share a google Doc. Email includes hhhhhhhhhhhhhhhh@mailinator.com. #TMYK — Dustinson (@dustinson) May 3, 2017

If, by chance, you received this email and clicked on the link, here’s what you need to do:

1. Go to your Gmail account’s permissions settings at https://myaccount.google.com/permissions.

2. Remove permissions for “Google Docs,” the name of the phishing scam.

I’ve emailed a few cybersecurity people and Google to ask what’s up, and will update with responses. The Electronic Frontier Foundation has confirmed that it’s a “credential hacking” attack that gives itself the ability to spam your contacts, but not malware that affects your entire computer — which means that as long as you remove any permissions you gave it, you’re safe.

Meanwhile, if you do get a random Google Docs link, here’s what to do:

Hey, if you're a journalist getting hit with random Google Doc invites right now, do not click. Forward phishing attacks to cooperq@eff.org — sarah jeong (@sarahjeong) May 3, 2017

Stay safe out there.

Update, May 3, 2017, at 5:20 p.m.: An official statement from Google, saying the attack has been stopped: “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”