PSA: This Google Doc scam is spreading fast and will email everyone you know

A new Google Docs phishing scam just reared its head a few hours ago, and it’s spreading like wildfire. Google appears to be taking action to stop it, but in the meantime: be super, super wary of Google Doc invites for now. If you fall for this one (and plenty of otherwise eagle-eyed people have already), it’ll blast out the bait to everyone on your contact list.

Here’s what you need to know:

Clicking the link takes you to a real Google-hosted page, with a list of your Google accounts ready to click

It asks you to select an account and provide an app called “Google Docs” — yes, they were somehow allowed to name a third-party app “Google Docs” — with account permissions

As soon as you click the “ALLOW” button, this not-at-all-actually-Google Docs app now has permission to read your emails and email all your contacts… the latter of which it’ll start doing pretty much immediately, spreading the worm to pretty much everyone you’ve ever emailed.

This one is super sneaky; pretty much the only way to detect it before falling for it is to click the small “Google Docs” link on the actual Google-hosted page and notice that the developer info seems… off.

Zach Latta of Hack Club grabbed a video of the whole flow so you don’t have to test fate to see it for yourself:

Just got this as well. Super sophisticated. pic.twitter.com/l6c1ljSFIX — Zach Latta (@zachlatta) May 3, 2017

How do I know if I’ve been hit? How do I fix it?

Check your Google account’s app permissions. There should not be an app called “Google Docs” there — actual Google Docs has access to your account by default. If you see it listed there, remove it by tapping the label and hitting “Remove”

Update: The Google Docs Twitter account just acknowledged the attack and says they’re working on it, but says not to click on things in the meantime.

We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail . — Google Docs (@googledocs) May 3, 2017

Update: Google says this specific attack should be blocked now, and they’re working on preventing similar attacks moving forward.