Google has issued a global security alert to its more than 3 billion Gmail users after uncovering a highly sophisticated phishing attack that managed to bypass the platform’s advanced security checks and trick even experienced users.
The scam, which first came to light after software developer Nick Johnson shared his experience on social media, involves emails that appear to originate from legitimate Google addresses, such as [email protected]. These messages falsely claim that the recipient’s Google account is subject to a subpoena, urging users to click links for more details or to contest the action. The emails are so convincing that they pass Google’s own DomainKeys Identified Mail (DKIM) authentication, causing them to appear alongside genuine security notifications in users’ inboxes.
How the Attack Works
This phishing campaign exploited a vulnerability in Google’s infrastructure, allowing attackers to send emails that are cryptographically signed as genuine by Google’s servers. The messages direct users to a fake support portal hosted on sites.google.com, which closely mimics Google’s login pages. Unsuspecting users who enter their credentials on these pages risk having their accounts compromised.
The attackers’ use of DKIM signatures made the scam especially dangerous, as it bypassed traditional spam and phishing filters and fooled even vigilant users.
Google’s Response and User Guidance
Google has confirmed awareness of the attack and has already rolled out fixes to block the loophole exploited by the scammers. The company emphasized that it will never ask users for passwords, one-time codes, or to confirm push notifications via email or phone call.
For those concerned about their accounts, Google has issued a four-step action plan and recovery tips:
- Set up a recovery phone number and email to enable two-step verification and account recovery.
- Adopt passkeys or device biometrics for enhanced security, as these are significantly more resistant to phishing than passwords or SMS-based two-factor authentication.
- Users have a 7-day window to recover their accounts if hackers change passwords or recovery details.
- Always check the domain of any Google login page (it should be accounts.google.com) and avoid clicking suspicious links, even if the email appears official.
Security experts warn that phishing attempts are becoming increasingly sophisticated, with attackers leveraging subtle domain changes and AI-generated content to trick users. Google’s latest guidance urges everyone to remain cautious and proactive about their account security.
Google’s spokesperson reassured users that new security measures are being deployed and that the company is committed to closing any avenues for similar attacks in the future.
