On May 3, a new phishing scheme ravaged school districts, colleges, universities and media companies. The scheme uses a convincing imitation of an email Google Docs invitation — often received from someone with a seemingly legitimate email address — to prey on individuals who frequently share files and collaborate with each other using Google Docs. The apparent aim of the scheme is to send spam to contact lists and steal credentials, such as usernames and passwords. Users should not click on the “Open in Docs” button and should delete the email immediately. If they did click, they may need to go to Google’s “Connected Apps and Sites” page and revoke access to the app deceptively named “Google Docs.” See below for an example of the email.
This attack is a good reminder that cybersecurity is a matter that requires constant vigilance and cannot be achieved through a single silver bullet. Organizations must have “defense in depth” when it comes to cybersecurity. In-house counsel can do its part by working with their advisors and IT, HR and communications departments (among others) to ensure that their organizations regularly:
- Provide employees and customers with alerts and training about the latest schemes
- Update the organization’s Incident Response Plan to reflect new threats and vulnerabilities
- Run “table top” or war game exercises to test the organization’s ability to respond to real-world incidents
- Review vendor contracts and conduct appropriate audits of third-party privacy and security practices
- Conduct risk assessments and review full privacy and cybersecurity programs
- Review the organization’s legal compliance with changing privacy and cybersecurity laws