If you find an unexpected Google Doc invitation in your inbox, don't click it! It may look legitimate, but it is in fact a scarily convincing phishing scheme.

While the invitations may come from people you know, you'll notice that they're addressed to "hhhhhhhhhhhhhhhh@mailinator.com" with your e-mail BCC'd. If you click on it (but please don't!), it directs you to an actual Google domain that asks if you want to grant access to an app misleadingly called "Google Docs." Granting the sneaky app access to your Gmail will let it peek into your account and start sending off invites on your behalf to everyone in your contact list.

Motherboard reports that it's still a mystery who's behind this clever phishing scheme. If you can, avoid clicking on Google Drive invitations for the time being and forward all suspicious e-mails to cooperq@eff.org. Whether or not you've received the nefarious Google doc invite, you should take a moment to see what apps have access to your Gmail account. Immediately revoke access to any that seem fishy or unnecessary.

This isn't the first time Gmail users have had to be suspicious of their own contacts list. Earlier this year, a similar phishing scheme made the rounds by sending out phony attachments from your friends' accounts. To protect yourself from these types of attacks in the future, check out our handy guide to identity theft and fraud.

[h/t Motherboard]