Beacon has conducted multiple investigations in the past six months for clients who were victims of phishing attacks that utilized the “Google Docs” platform as a ploy to persuade victims to provide password and sign-in credentials for their email accounts.

The phishing attacks were followed by bank and wire fraud, resulting in serious financial repercussions for our clients.

The attacks were initiated when the victims received emails from a friend or close associate, whose accounts had already been hacked without their knowledge. The text of those emails differed in specifics, but the basic message was as follows:

Dear John, I tried to send this document to you before. Did you receive it? VIEW HERE and sign on with your email to access it on Google.doc. Then get back to me so we can discuss! Regards, Jim

Recipients of the phishing email who clicked on the “VIEW HERE” link (which has been disabled in this post) are redirected to a website controlled by the fraudsters, which mimics a legitimate-seeming sign-in screen for Google Docs. The recipients are asked to “sign in” to their email account to receive access to the purported Google Docs. (Needless to say, the Google Docs either don’t exist, or are entirely blank.)

As soon as the victims submit their password at that site, their email accounts — and all the personal and financial information they contain — are compromised.

The attackers immediately access and search their victims’ email accounts for bank accounts and related financial information. They then use that information to make unauthorized wire transfers and ATM withdrawals. Posing as the victims, they send email instructions to the victim’s own bankers, accountants, and investment advisors, instructing them to transfer the funds to various foreign and domestic accounts.

After draining all available cash and assets, the fraudsters then use their victim’s hacked email accounts to send more phishing emails to all of the victim’s personal contacts. The victim’s friends, family and coworkers receive emails supposedly from the victim — asking them to click on the link and sign into Google Docs. And the process begins all over again.

This is a global exploit with many copycats. Our forensic specialists and financial investigators tracked leads in Singapore, India, Switzerland and South Dakota. We followed a trail of hacked servers, phony emails, and ghost financial accounts. Hackers working abroad are facilitated by local criminal associates in each country who facilitate the cash withdrawals.

“Google Docs has been used to distribute malware in the past. Now it is increasingly being used as a lure for phishing,” observed Larry Seltzer at ZDNet in November 2013.

When an email appears to come from a trusted source, and has not been red-flagged by antivirus software or spam filters, most people — even trained security professionals — will often click without hesitation. We recently discovered that a similar attack had duped other private investigators in the popular “PI Cases” user group on Yahoo!

These phishing attacks are a very simple, and very persuasive, form of fraud. For victims, unfortunately, the recovery of stolen funds can be exceedingly difficult because local law enforcement agencies are rarely equipped to investigate schemes that cross numerous international borders. Moreover, the “ghost accounts” controlled by the fraudsters are often established under stolen identities at smaller regional banks and credit unions, or in foreign countries, where internal fraud departments may lack the institutional resources to identify and pursue the perpetrators. In light of these facts, we expect we will be investigating many more of these types of attacks in the months ahead.

About Beacon: Beacon Investigative Solutions is a full-service investigative agency licensed in 45 states and Washington, D.C. We provide investigative services for private clients, major corporations, law firms, insurers, investors, and government agencies. 

For more information, please call

800-535-2136

We assist clients nationwide.

Corporate Headquarters
Beacon Investigative Solutions
4200 Regent Street, Suite 200
Columbus, OH 43219