A very sophisticated and malicious phishing scam is spreading across the Internet, infecting computers and comprising the safety of millions of Gmail users around the world, Google confirmed on Wednesday. The bug arrives in inboxes posing as an email from a trusted contact.

Google Docs Phishing Scam

How Google Docs phishing scam tricks Gmail users

The bug asks users to check an attached GDocs or “Google Docs” file. When the user clicks on the link, it takes them to a real Google security page where they are asked to give their permission for the fake app posing as Google Docs to manage their Google accounts. If permission is granted, attackers get access to a vast amount of the user’s personal data.

In addition, the bug transfers itself to all of the affected user’s contacts as well, reproducing itself multiple times every time a single user opens the email and clicks the link, notes CNBC. Hence, those who receive an email which says that someone from their contact list has shared a Google document with them should think twice before accessing it. There are chances that the document sent by the contact is not an actual doc but a scam to take control of your email account and steal your personal data.

Many people have already been victims of this apparent phishing attempt by an unknown organization. To stay safe, report the Gmail message that has a mailinator.com address as the main recipient. Report the messages as phishing by clicking the down arrow beside the reply button and selecting “Report phishing.” Next, delete it.

However, if you do click on the link, do not give permission when the fake Google Docs app asks for it. Moreover, if you have granted permission to the fake GDocs app as well, then just go to your Google connected sites and revoke access to GDocs. Next, you should change your password.

How is Google taking care if it?

Google is informing users of this phishing scam via Twitter. A tweet from Google Docs says that they are investigating a phishing email that appears as Google Docs.

“We encourage you to not click through & report as phishing within Gmail,” the tweet states.

Google said it has disabled the malicious accounts and pushed updates to all users. The internet company has responded to the phishing attack with a combination of manual and automatic actions. In a statement, the company said that it was able to stop the campaign within approximately one hour. On Wednesday night, a spokesperson told NBC News that the bug affected less than 0.1% of Gmail users (around 1 million users).

“While contact information was accessed and used by the campaign, our investigations show that no other data was exposed,” the spokesperson said.

According to BuzzFeed, now if you attempt to click on the link to the suspicious Google Doc, you may see a screen that says, “We’re sorry…but your computer or network may be sending automated queries. To protect our users, we can’t process your request right now.”