Google sounds alarm after slick phishing scam dupes millions
Google has blasted out an urgent security warning to its 1.8 billion Gmail users worldwide. The tech giant confirmed a crafty “sophisticated” phishing attack fooled users by mimicking official Google emails, stealing their personal info.
How the Gmail Scam Works
Ethereum coder Nick Johnson uncovered the scam and blew the whistle on a glaring security flaw that let it slip past Google’s defences.
“Recently I was targeted by an extremely sophisticated phishing attack,” Johnson revealed on social media platform X. “It exploits a vulnerability in Google’s infrastructure, and given their refusal to fix it, we’re likely to see it a lot more.”
The scam sends a chilling email warning victims of a legal subpoena linked to their account. It links to a fake “Google support portal” on sites.google.com—not the real accounts.google.com.
Users are tricked into logging in, handing over their credentials directly to crooks. Shockingly, the scam emails pass Google’s own DKIM security checks and appear in threads alongside real Google alerts, making them devilishly hard to spot.
“I clicked on ‘View Case’ and ‘Upload Additional Documents’ and both took me to exact duplicates of Google login pages,” said Johnson.
Google Hits Back
A Google spokesperson told DailyMail.com that the company has moved fast to shut down this method of attack.
“We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse,” they confirmed.
Google urged users to turn on two-factor authentication (2FA) and passkeys for extra defence. They stressed:
“Google will not ask for your password, one-time passwords, confirm push notifications, or other sensitive credentials. We also will never call you asking for login details.”
Why This Scam Is So Dangerous
Phishing scams usually fall apart due to dodgy-looking emails. But this one uses Google’s own infrastructure, making it deadly convincing.
Johnson warned: “People see the google.com domain and assume it’s safe. That’s what makes this so dangerous.”
Without 2FA or passkeys, all crooks need is your password to hijack your account—while you think you’re just obeying a legal order.
Protect Yourself Now
- Use passkeys: Secure logins that only work on your device.
- Enable two-factor authentication: Essential extra layer of security.
- Beware urgent legal emails: Especially those demanding quick action.
- Never click suspicious links: Type URLs directly into your browser.
- Check domain names carefully: Real Google alerts come from accounts.google.com, NOT sites.google.com.
For real legal requests, Google points users to its 123.
