Fake Google Drive Document Sharing Phishing Scam
Scammers send fake Google Drive document-sharing notifications to harvest Google account credentials, exploiting the fact that genuine Google Drive sharing emails look almost identical to the phishing version.
Part of: Fake Cloud Storage Alerts
Last reviewed: 8 June 2026
Google Drive sends legitimate sharing notifications when someone shares a file or folder with you. These emails come from [email protected] and contain a button linking to drive.google.com. The format is familiar and widely trusted in professional and personal contexts.
Criminals create near-perfect replicas of these notifications — sometimes using Google's own redirect infrastructure to make the link appear genuine for a moment before redirecting to a phishing page. The content of the 'shared document' is often designed to be irresistible: 'Q4 Salary Review,' 'Interview Results,' or 'Exclusive Investment Opportunity.'
The Google Drive sharing scam is especially effective against business users who receive dozens of legitimate Drive sharing notifications per week and may be conditioned to click without close inspection.
How this scam works on the Google brand
A target receives an email styled identically to a Google Drive sharing notification. The sender appears to be a colleague or contact, and the document title is enticing. Clicking 'Open in Drive' leads to a page at a domain such as drive.google-docs-viewer.com that displays a Google sign-in form.
After entering credentials, the page shows a convincing Google Docs interface with a document requesting the user to input more information. Some variants use a real Google Docs file with an embedded phishing link, so the initial 'Open in Drive' link legitimately opens Google Docs — the phishing is embedded in the document itself.
Business users are further targeted with fake Google Drive documents impersonating HR policies, contract drafts, or supplier invoices that contain links to phishing forms or malicious downloads.
Common red flags
- Genuine Google Drive sharing emails come from [email protected] — check the full sender address.
- After clicking 'Open in Drive,' the URL in your browser must be drive.google.com or docs.google.com — any other domain is fraudulent.
- An unexpected share from a colleague should be verified by asking them directly before clicking.
- A Google Docs file that asks you to click a button and 'sign in again' within the document itself is suspicious — Google does not require re-authentication within a document.
- The shared document title uses language designed to provoke curiosity or urgency (salary data, legal notices, exclusive offers).
- The Google sign-in page asks for your password but the URL is not accounts.google.com.
How to protect yourself
- Always check the URL after clicking a Drive sharing link — it must be drive.google.com or docs.google.com.
- If a shared document redirects to a Google sign-in page, type accounts.google.com directly and sign in there instead.
- Enable two-factor authentication with an authenticator app or hardware key on your Google account.
- If you entered credentials on a fake sign-in page, change your Google password immediately at myaccount.google.com and revoke any suspicious third-party app access.
- Organisations using Google Workspace should enable Advanced Phishing and Malware protection in the Admin Console.
How to report it
- Report the phishing email to Google at [email protected] or using Gmail's 'Report phishing' option.
- Report the fraudulent website to Google at safebrowsing.google.com/safebrowsing/report_phish/.
- Report to the FTC at ReportFraud.ftc.gov.
- UK users: report to Action Fraud at actionfraud.police.uk.
Frequently asked questions
What does a real Google Drive sharing notification look like?
It comes from [email protected], shows the sharer's name and Google profile photo, names the file, and contains an 'Open in Drive' button that goes to drive.google.com. The email does not ask you to re-enter your Google password.
Can a Google Docs file itself contain phishing content?
Yes. Scammers sometimes share real Google Docs files containing images of sign-in forms, malicious links, or download prompts. Google's spam detection catches many of these but not all. Treat any unexpected shared Doc requesting sensitive actions with caution.
I clicked and signed in on a fake Google page — how quickly do attackers act?
Sophisticated attackers use real-time relay attacks and can access accounts within seconds of credential submission. Change your Google password immediately at myaccount.google.com if you believe you have been phished — speed is critical.