PSA: This Google Doc scam is spreading fast and will email everyone you know

A new Google Docs phishing scam just reared its head a few hours ago, and it’s spreading like wildfire. Google appears to be taking action to stop it, but in the meantime: be super, super wary of Google Doc invites for now. If you fall for this one (and plenty of otherwise eagle-eyed people have already), it’ll blast out the bait to everyone on your contact list.

Here’s what you need to know:

This one is super sneaky; pretty much the only way to detect it before falling for it is to click the small “Google Docs” link on the actual Google-hosted page and notice that the developer info seems… off.

Zach Latta of Hack Club grabbed a video of the whole flow so you don’t have to test fate to see it for yourself:

How do I know if I’ve been hit? How do I fix it?

Check your Google account’s app permissions. There should not be an app called “Google Docs” there — actual Google Docs has access to your account by default. If you see it listed there, remove it by tapping the label and hitting “Remove”

Update: The Google Docs Twitter account just acknowledged the attack and says they’re working on it, but says not to click on things in the meantime.

Update: Google says this specific attack should be blocked now, and they’re working on preventing similar attacks moving forward.