All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
Millions of Gmail users have been placed on red alert over a sophisticated new phishing attack that bypasses several of Google's security measures. Cyber crooks have developed a clever method of sending fraudulent emails that appear to be sent directly from Google.
The troubling new scam emails appear to be sent from legitimate Google web domains and email signatures to trick users into believing they've received official communications about legal subpoenas.
What makes this attack particularly dangerous is that it passes Google's own email authentication protections.
Secure your accounts with 24/7 Dark Web monitoring and £1m to cover identity theft losses
NordProtect is an innovative new service from the team behind NordVPN that proactively monitors the Dark Web to ensure none of your personal information has been sold by hackers. It also offers up to $10,000 in cover for online fraud and $1million in identity fraud cover. NordProtect sends you timely alerts about various cybersecurity threats — from company-wide data leaks to stolen accounts
NordProtect
The scam was first identified by Nick Johnson, a software developer, who received an email claiming a subpoena had been served that required Google to produce a copy of his digital account content.
The email appears to be sent from "no-reply@google.com" — the address that sends out all official communications from the Californian company — and even passed Google's DKIM signature check, which normally filters suspicious emails.
The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com/GxlFR6ccLG
— nick.eth (@nicksdjohnson) April 16, 2025
When you receive one of these emails, it will even appear in the same conversation thread as other legitimate security alerts from Google — making it almost impossible to spot that it's a fake.
If you click on the link in these emails, you'll be taken to a "very convincing" login portal page hosted on sites.google.com. This is a crucial detail — the fake login page appears on a legitimate Google domain, making it extremely difficult to spot the scam.
Clicking on "Upload additional documents" or "View case" takes you to a signin page - again an exact duplicate of the real thing; the only hint it's a phish is that it's hosted on https://t.co/tl3ktQkM5X instead of https://t.co/kCLNEQcBQK. pic.twitter.com/RYCf8LKmTQ
— nick.eth (@nicksdjohnson) April 16, 2025
The only subtle clue that something is amiss is that it's hosted on sites.google.com instead of accounts.google.com — the website you're directed to whenever you need to login to a genuine Google account page.
If you're unlucky enough to fall for this scam and enter your account credentials into the "convincing" login page set-up by cyber criminals, you'll instanteously handover your personal data.
Once the sophisticated crooks behind this scam gain access to your Google account username and password, they can then potentially access all the sensitive information stored in your Gmail account.
With billions of users worldwide, Gmail remains one of the most popular email services and a prime target for cyber criminals. This new attack method could potentially affect all 1.8 billion Gmail users globally.
Google has acknowledged the issue and is working on a fix.
Google Account brings together several services from the Californian company, including Gmail, Google Calendar, Google Meet, and more GETTY IMAGES Security experts warn that as AI technology advances, these sophisticated phishing techniques will become more widespread and harder to detect.
What makes this particular scam so alarming is that it exploits trust in Google's own infrastructure. Even tech-savvy users might struggle to identify this as a scam, putting countless individuals at risk of having their personal data compromised. The financial and privacy implications could be devastating.
Google has confirmed it is aware of the attack and is actively working to address the vulnerability.
"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week," a Google spokesperson said. "These protections will soon be fully deployed, which will shut down this avenue for abuse."
Need a password manager?
- View Deal | Get started with 1Password for FREE
- View Deal | LastPass offers FREE 30-day trial
- View Deal | Get started with NordPass for FREE
However, the technology firm has not provided a specific timeline for when the fix will be completely rolled out globally.
Until then, all Gmail users are advised to remain vigilant and take additional security precautions.
In the meantime, Google is encouraging users to adopt stronger security measures to protect themselves. Here's what you should do:
- Enable two-factor authentication (2FA) on your Google account immediately.
- Set up passkeys, which provide stronger protection against phishing campaigns than traditional passwords.
- Avoid using SMS-based 2FA as this can be intercepted by malware like the recently discovered "Gorilla" Android threat.
- Consider using an authenticator app or Google prompts instead of SMS codes.
- Stop using your password to log in, even if you have 2FA enabled.
- Remember that physical device-linked security measures are much harder for attackers to bypass.
Beyond these technical measures, there are simple warning signs you should watch for to avoid falling victim to this scam. Never click on links in emails, even if they appear to be from Google. Instead, type the address directly or use your bookmarks.
Be especially wary of messages creating a sense of urgency or requiring immediate action. Remember that Google will never proactively contact you about security issues requiring immediate attention.
If an email mentions legal action, subpoenas or law enforcement requests, verify it through official Google channels before taking any action.
Always check the exact domain in any login page before entering your credentials.
