Experts: Google phishing attack underscores data protection issues

A recent phishing attack that affected 1 million Google Docs users has emphasized the need to educate schools and districts about the many ways in which personnel and student information can be accessed by cyber criminals, according to experts.

Earlier this month, a widespread cyber-attack was launched against Google Docs users, an incident that also impacted K-12 schools across the country. Attackers tricked some users into granting access to their personal contact information.

Google responded to the incident within an hour of learning about it and issued a statement, assuring users that they took swift action “to revoke all access granted to the attacker as well as steps to reduce and prevent harm from future variants of this type of attack.”

The phishing campaign, according to Google, worked by convincing victims to click on a link in an email appearing to be an invite to a Google Doc from one of their contacts.

“When users clicked the link in the attacker’s email, it directed them to the attacker’s application, which requested access to the user’s account under the false pretense of gaining access to the Google Doc,” Google officials explained. “If the user authorized access to the application (through a mechanism called OAuth), it used the user’s contact list to send the same message to more people.”

“As many email users know, phishing attacks — or emails that impersonate a trusted source to trick users into sharing information — are a pervasive problem,” the company wrote. “If you use Gmail, you can rest assured that every day, millions of phishing emails are blocked from ever reaching your inbox.”

‘Limit future exposure’

Doug Levin, founder and president of EdTech Strategies LLC, said he believes Google managed to address the issue quickly because it was already aware of its software’s vulnerability. The potential exploit, he wrote in a blog, has been “well-understood” and documented since at least 2011.

“Given the popularity of these tools within the K-12 sector, I’d hazard that anywhere from a third to half of all U.S. K-12 students and teachers were probably at risk of being exploited here,” according to Levin. “Had it gone unaddressed for a day or more, the numbers could ultimately have been even higher than that.”

Levin urged those working in or on behalf of local educational agencies to learn about the incident and take steps to limit future exposure. He expects that other similar exploits will happen in the future.

Expert tips

Miguel Guhlin, director of professional development for the Texas Computer Education Association, also said the Google phishing attack underscores the need to continue to educate school staff and students about online safety.

The School District of Palm Beach County (Fla.) issued a statement advising school staff to simply delete the suspicious emails. School authorities also said that, when in doubt, don’t open, respond to, or click links in an email.

The district also urged employees to protect district passwords by ignoring surveys or questionnaires in emails that ask for passwords and other email account information, and to change passwords immediately if employees believe their accounts have been compromised.

To avoid future traps with Google Docs in particular, Guhlin recommended the following on the Texas Computer Education Association website:

  • If a suspicious email prompts the user to enter login credentials to access Google Docs, simply go to and check the “Shared With Me” section. This will confirm whether a document was actually shared or if the suspicious email is a scam, he said.
  • Contact the person who allegedly sent the message and ask whether they shared a Google Doc. If the answer is “No,” then delete the document, he said.
  • Scrutinize the From: and To: sections of an email to verify its authenticity.
  • “If you must click, copy the link to OPEN DOC and create an incognito or private browser window,” he said. “That way, your login credentials stored in cookies in your browser will not auto-populate or show up in the username/login box.”

Emily Ann Brown covers education technology and STEM education issues for LRP Publications.

Copyright 2017© LRP Publications, Education Daily®