1.8 billion at risk: New email threat raises security concerns. Are you protected?
- Replies 0
Attention, email users! A sophisticated new phishing attack is targeting the 1.8 billion individuals who rely on Google's email service, and it's more cunning than ever.
This isn't your run-of-the-mill scam–it's a high-stakes game of digital cat-and-mouse, and your personal information is the prize.
The GrayVine is here to arm you with the knowledge you need to defend yourself against these cyber predators. Let's break down what's happening and how you can safeguard your digital life.
The Anatomy of a Sophisticated Scam
Google has acknowledged a “sophisticated” phishing attack that may have impacted the data of 1.8 billion Gmail users, leading the company to issue an urgent alert.
The scheme was initially flagged by Nick Johnson, a developer associated with the Ethereum cryptocurrency platform.
“Recently[,] I was targeted by an extremely sophisticated phishing attack,” Johnson wrote in a post on social media on Wednesday.
Johnson warned that the scheme takes advantage of a flaw in Google's system. “It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more,” he said.
He posted a screenshot of the deceptive email, which looked like it came from a valid Google address and claimed he had been issued a subpoena related to his Google account—implying he needed to provide access.
“The only hint it's a phish is that it's hosted on sites.google.com instead of accounts.google.com,” Johnson noted.
Clicking the suspicious link led him to what he described as a “very convincing 'support portal' page.” He then selected options like “Upload additional documents” and “View case,” which both redirected to “exact duplicates” of official Google sign-in pages.
These fake pages asked for his Google login details. “From there, presumably, they harvest your login credentials and use them to compromise your account; I haven't gone further to check,” he added.
Johnson pointed out that the deceptive email managed to pass a DKIM signature check—a security measure meant to confirm that an email hasn't been tampered with during delivery—and Gmail displayed it without flagging any warnings.
“It even puts it in the same conversation as other, legitimate security alerts,” he said.
Google's Response and Recommendations
In response, a Google spokesperson told DailyMail.com, “We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.”
The company added that users should enable two-factor authentication and passkeys, which “provide strong protection against these kinds of phishing campaigns.”
Source: @nicksdjohnson / X.
Google also confirmed that it has blocked the method used in the scam and recently issued guidance to help users spot and avoid similar email threats.
“Google will not ask for any of your account credentials—including your password, one-time passwords, confirm push notifications, etc.—and Google will not call you,” the company emphasized.
Scams like these aim to extract sensitive information by appearing as credible as possible, tricking recipients into sharing details that can be used for identity theft or financial fraud.
That’s why the scammers behind this Gmail phishing scheme chose to host their fake pages on Google Sites — “because they know people will see the domain is http://google.com and assume it's legit,” Johnson explained.
You might need this: Attention 3.2 million Chrome users: Immediate action required to protect your data
If you're using a password to access your Gmail account and unknowingly hand it over in a phishing scam, there's little stopping a hacker from breaking in. With just your password and a two-factor authentication (2FA) code, they can log in from their own device.
However, using a passkey in combination with 2FA significantly boosts your security.
A passkey is a highly secure, system-generated login credential that can’t easily be guessed, stolen, or phished. It's tied to your physical device, meaning a hacker wouldn't be able to use it even if they had it—it simply won’t work on any device but yours.
Spotting the Red Flags
Along with using passkeys, staying alert to phishing red flags can also help keep your accounts safe.
Source: Aura / Youtube.
Even though phishing attempts are becoming more convincing, many still follow a predictable pattern: they usually include a vague or generic greeting, a sense of urgency, and a clickable link that asks you to take immediate action.
Recognizing these signs can make a big difference in staying protected online.
While companies like Google do sometimes reach out via email, they will never ask you to click a link to update sensitive details like your login or payment information.
In the latest phishing scam, attackers disguised their message to look like a legal or government request for account access—a tactic designed to spark panic and urgency.
Also read: New phishing scam tricks on the rise–you won’t believe what hackers do to get your information!
But according to Google’s Privacy and Terms page, the company does notify users when such legitimate requests come through.
“When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organization, we'll give notice to the account administrator,” it states.
The only exception is when Google is legally prohibited from notifying users — such as during a court-ordered gag period. In those cases, Google commits to informing users once the restriction is lifted.
Because scammers are now mimicking these official notices, it can be especially difficult to spot the difference between a real subpoena and a fake one.
Source: Sunrise / Youtube.
Google strongly advises users to exercise caution with any message asking for personal information.
“If you get this type of message, don't provide the information requested without confirming that the site is legitimate,” the company warns. “If possible, open the site in another window instead of clicking the link in your email.”
Lastly, Google emphasizes that they will never send unsolicited messages asking for your password or personal details.
Read next: New warning for email users: The scam that tricks you into handing over control
Have you encountered a phishing scam? Do you have tips for remembering complex passwords or passkeys? Share your experiences and advice in the comments below!
This isn't your run-of-the-mill scam–it's a high-stakes game of digital cat-and-mouse, and your personal information is the prize.
The GrayVine is here to arm you with the knowledge you need to defend yourself against these cyber predators. Let's break down what's happening and how you can safeguard your digital life.
The Anatomy of a Sophisticated Scam
Google has acknowledged a “sophisticated” phishing attack that may have impacted the data of 1.8 billion Gmail users, leading the company to issue an urgent alert.
The scheme was initially flagged by Nick Johnson, a developer associated with the Ethereum cryptocurrency platform.
“Recently[,] I was targeted by an extremely sophisticated phishing attack,” Johnson wrote in a post on social media on Wednesday.
Johnson warned that the scheme takes advantage of a flaw in Google's system. “It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more,” he said.
Nick Johnson, a developer for Ethereum, reported a sophisticated phishing attack on Gmail users that exploits Google's infrastructure. Image source: Solen Feyissa / Unsplash.
He posted a screenshot of the deceptive email, which looked like it came from a valid Google address and claimed he had been issued a subpoena related to his Google account—implying he needed to provide access.
“The only hint it's a phish is that it's hosted on sites.google.com instead of accounts.google.com,” Johnson noted.
Clicking the suspicious link led him to what he described as a “very convincing 'support portal' page.” He then selected options like “Upload additional documents” and “View case,” which both redirected to “exact duplicates” of official Google sign-in pages.
These fake pages asked for his Google login details. “From there, presumably, they harvest your login credentials and use them to compromise your account; I haven't gone further to check,” he added.
Johnson pointed out that the deceptive email managed to pass a DKIM signature check—a security measure meant to confirm that an email hasn't been tampered with during delivery—and Gmail displayed it without flagging any warnings.
“It even puts it in the same conversation as other, legitimate security alerts,” he said.
Google's Response and Recommendations
In response, a Google spokesperson told DailyMail.com, “We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.”
The company added that users should enable two-factor authentication and passkeys, which “provide strong protection against these kinds of phishing campaigns.”
Source: @nicksdjohnson / X.
Google also confirmed that it has blocked the method used in the scam and recently issued guidance to help users spot and avoid similar email threats.
“Google will not ask for any of your account credentials—including your password, one-time passwords, confirm push notifications, etc.—and Google will not call you,” the company emphasized.
The phishing email appeared to come from a legitimate Google address and asked users to hand over their Google account access, using very convincing duplicate pages of Google. Image source: Justin Morgan / Unsplash.
Scams like these aim to extract sensitive information by appearing as credible as possible, tricking recipients into sharing details that can be used for identity theft or financial fraud.
That’s why the scammers behind this Gmail phishing scheme chose to host their fake pages on Google Sites — “because they know people will see the domain is http://google.com and assume it's legit,” Johnson explained.
You might need this: Attention 3.2 million Chrome users: Immediate action required to protect your data
If you're using a password to access your Gmail account and unknowingly hand it over in a phishing scam, there's little stopping a hacker from breaking in. With just your password and a two-factor authentication (2FA) code, they can log in from their own device.
However, using a passkey in combination with 2FA significantly boosts your security.
A passkey is a highly secure, system-generated login credential that can’t easily be guessed, stolen, or phished. It's tied to your physical device, meaning a hacker wouldn't be able to use it even if they had it—it simply won’t work on any device but yours.
Spotting the Red Flags
Along with using passkeys, staying alert to phishing red flags can also help keep your accounts safe.
Source: Aura / Youtube.
Even though phishing attempts are becoming more convincing, many still follow a predictable pattern: they usually include a vague or generic greeting, a sense of urgency, and a clickable link that asks you to take immediate action.
Recognizing these signs can make a big difference in staying protected online.
While companies like Google do sometimes reach out via email, they will never ask you to click a link to update sensitive details like your login or payment information.
In the latest phishing scam, attackers disguised their message to look like a legal or government request for account access—a tactic designed to spark panic and urgency.
Also read: New phishing scam tricks on the rise–you won’t believe what hackers do to get your information!
But according to Google’s Privacy and Terms page, the company does notify users when such legitimate requests come through.
“When we receive a request from a government agency, we send an email to the user account before disclosing information. If the account is managed by an organization, we'll give notice to the account administrator,” it states.
The only exception is when Google is legally prohibited from notifying users — such as during a court-ordered gag period. In those cases, Google commits to informing users once the restriction is lifted.
Because scammers are now mimicking these official notices, it can be especially difficult to spot the difference between a real subpoena and a fake one.
Source: Sunrise / Youtube.
Google strongly advises users to exercise caution with any message asking for personal information.
“If you get this type of message, don't provide the information requested without confirming that the site is legitimate,” the company warns. “If possible, open the site in another window instead of clicking the link in your email.”
Lastly, Google emphasizes that they will never send unsolicited messages asking for your password or personal details.
Read next: New warning for email users: The scam that tricks you into handing over control
Have you encountered a phishing scam? Do you have tips for remembering complex passwords or passkeys? Share your experiences and advice in the comments below!
