A sophisticated phishing scam is targeting Gmail users by sending deceptive emails that appear to originate from Google’s official “[email protected]” address. These emails are particularly dangerous because they pass Google’s security checks, including DKIM signature verification, making them seem legitimate and allowing them to bypass spam filters.
How the Scam Operates
The fraudulent emails often claim to be legal notices, such as subpoenas, and direct recipients to a counterfeit Google support portal hosted on “sites.google.com.” This fake portal closely mimics the appearance of Google’s legitimate login page. If users enter their credentials on this page, attackers can harvest this information to gain unauthorised access to their accounts.
Cybersecurity expert, Emml Quaicoe, highlighted that the scam exploits vulnerabilities in Google’s infrastructure, allowing attackers to send these convincing emails. Despite the emails’ authentic appearance, subtle indicators, such as the use of “sites.google.com” instead of “accounts.google.com”, can help users identify the deception.
Protective Measures
To safeguard against such phishing attacks, users are advised to:
Enable Two-Factor Authentication (2FA): Adding an extra layer of security can prevent unauthorised access even if credentials are compromised.
Verify URLs Carefully: Always check that the website’s URL is legitimate before entering any personal information.
Be Skeptical of Urgent Requests: Emails that pressure you to take immediate action, especially those requesting sensitive information, should be treated with caution.
Report Suspicious Emails: Use Gmail’s built-in tools to report phishing attempts.
Google has acknowledged the issue and is working to implement countermeasures to prevent such attacks. In the meantime, users should remain vigilant and practice good cybersecurity hygiene to protect their accounts.
How to Secure Your Gmail Account from Phishing Scams
- Enable Two-Factor Authentication (2FA)
This adds an extra layer of security beyond just your password.
Go to Google Account Security Settings
Under “Signing in to Google”, select 2-Step Verification
Follow the setup instructions using your phone or an authenticator app
- Use a Strong, Unique Password
Avoid reusing passwords from other sites.
Use a mix of uppercase, lowercase, numbers, and symbols
Consider using a password manager like Bitwarden, LastPass, or Google Password Manager
- Verify the Email Sender
Phishing emails often spoof legitimate senders.
Always hover over email addresses to see the full sender address
Legitimate Google URLs will always end in google.com
Beware of messages sent from sites.google.com or unfamiliar URLs
- Do Not Click Suspicious Links
If you’re unsure about an email:
Don’t click on any links or download attachments
Instead, go directly to https://myaccount.google.com and check for alerts
- Report Phishing Emails to Google
Help Google improve its filters.
Open the suspicious email
Click the three vertical dots (more options) in the upper-right corner
Select “Report phishing”
- Review Your Account Activity
Check for unauthorized access.
Visit https://myaccount.google.com/security-checkup
Look under “Your devices” and “Recent security events”
Remove any unfamiliar devices or locations
- Use Gmail’s Confidential Mode
For sending sensitive info, turn on Confidential Mode in Gmail:
Click the lock and clock icon at the bottom of the email compose window
Set an expiration date and passcode
- Educate Yourself & Others
Stay informed about evolving threats.
Visit Google’s Security Center for tips and resources
Share phishing warnings with family or coworkers