Careful Gmail Users: This Phishing Email Using Google Branding Can Trick You, Steal Personal Data

Google has reportedly confirmed that a “sophisticated phishing attack” is leveraging the vulnerabilities in the platform with social engineering tactics in a bid to target Gmail users and hack their personal information.

An email from no-reply@accounts.google.com, which looks to be a legitimate, convincing security alert from Google, is urging users to verify their account activity or risk deactivation of their Gmail accounts. This can cause users to panic and click on malicious links embedded in the phishing email or enter their login credentials on a phony website that closely resembles the real one.

The attack can potentially lead to threat actors reading user emails, hack personal information, and send more phishing emails to their contacts.

The phishing email was first noticed by X user Nick Johnson, who shared it on the social platform. “Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure,” his post read.

The email uses Google branding, has the company’s logo, and includes official sounding language. “The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts,” Johnson wrote in his post. 

Johnson was taken to a "support portal" page hosted on a domain that included sites.google.com. This could lead someone to believe that it was a genuine Google webpage at first sight, but it wasn't. The website had a login screen that mimics Google’s, with the purpose of collecting user information. 

The authenticity of this attack makes it potentially hazardous. The name of the sender appears as Google, and even the email address can seem authentic at first sight. However, upon closer inspection, the email does not originate from a legitimate Google site but rather from an odd-looking address with unusual characters—a sign of a phishing attempt.

Google suggested that users should use passkeys and two-factor authentication to protect themselves from such phishing attacks. While attackers can trick users to submit their login and password, passkeys are safer.

Passkeys are synced with a user’s device, and unlocking a Google account requires the security of users’ smartphone. This implies that an attacker cannot log in if they do not physically possess a user’s device.