Google has confirmed the latest warnings — that Gmail accounts are under attack, and has issued some simple, critical advice. But it’s difficult for users to dive beneath all the headlines to work out exactly what they should do. To start with, you must change your email account to keep it safe from attackers. Here’s what to do and why today.
The latest attacks follow recent patterns, mimicking Google’s own support to trick users into giving up credentials. According to Check Point, Google is second only to Microsoft in its likelihood to be aped in an attack. “As we progress through 2025,” Check Point says, “organizations and users must stay alert to the evolving threat of phishing attacks.”
Google’s first piece of advice follows on from that warning — it will never contact users to discuss to account security. “Reiterate to your readers,” the company tells me, “that Google will not call you to reset your password or troubleshoot account issues.”
The second piece of advice is to change your login details. “Passkeys provide the strongest protection,” Google says. “Once you create a passkey, you can use it to easily sign in to your Google Account, as well as some third-party apps or services. You can also use that passkey to verify it’s you when you make sensitive changes.”
Unlike Microsoft, which pushes users to delete passwords as an account vulnerability if kept alongside passkeys, Google is keeping passwords and two-factor authentication (2FA) as a backup. But when you set up your passkey, you should change your password for and ensure that 2FA is device linked, either through an authentication app or a trusted device login. Do not use SMS.
The is especially critical with the rise in AI attacks that are harder to detect and defend, as the FBI has just warned. You’re less likely to see them coming and so you should do all you can to make it impossible for an attack to hit its mark.
So, why today? Today is World Password Day, which is over-hyped but does have a serious message in amongst all the “worst passwords” noise. It’s a timely reminder to make these changes to your Gmail and other accounts before it’s too late.
The FIDO Alliance is charged with pushing passkeys, and its latest research shows adoption is accelerating. “The establishment and growth of World Passkey Day,” its CEO Andrew Shikiar said today, “reflects the fact that organizations of all shapes and sizes are taking action upon the imperative to move away from relying on passwords and other legacy authentication methods that have led to decades of data breaches, account takeovers and user frustration.”
You can find details on setting up your Google/Gmail passkey here.