Google has confirmed the latest attack on Gmail users, another case of devious social engineering exploiting platform vulnerabilities. Again, the objective of the attack was to take-over the victim’s email account, again it seemed to come from Google itself, again it has kept the headlines coming given Gmail’s scale and global reach. Google’s advice is clear, make sure you watch for the telltale message that’s a clear sign of an attack.
You’re likely familiar with the details of the latest attack by now, with “emails [that] appear to come from a legitimate Google account service, asking users to follow a link to take action. However, clicking on the link could lock you out of your account.” Those are the details you can ignore. The ways in which attackers can fake Google emails, the ways in which phishing sites can be hosted on legitimate Google domains.
Google has patched these latest security holes, just as it patched security holes in February when a similar attack made headlines. This is a game if cat and mouse. As soon as Google takes action, hackers look for another way through. And they inevitably succeed. Watching a rearview mirror to guard against a repeat attack is pointless. This is about prevention, and fortunately one simple piece of advice foils all these attacks.
For that reason Google is understandably frustrated. Gmail users are all now looking for specific emails from a specific Google address to keep safe. Don’t. It’s much more basic than that. As Google told me, “please reiterate to your readers that Google will not contact you to reset your password or troubleshoot account issues.”
It’s really that simple. That’s al you need to know. And the same applies to Microsoft and Apple and Meta and others. That could be a phone call or an email. It’s the same. If you receive an unsolicited message of any kind from Google’s technical support, it’s an attack, a scam, a threat to your account, your finances, your data, your other platforms that rely on a Gmail address for a login or account recovery. Bad news all round.
In the same way, the FBI’s recent warning that scammers are impersonating its own staff to trick victims and the broader threat from law enforcement impersonation prompts the same warning — law enforcement will never reach out in this way.
And the raft of banking scams are also the same. Account holders contacted and told to move money to a safe account to protect it from a (made-up) attack. These so-called phantom hacker attacks have also solicited an FBI warning. That pattern, that a bank or agency or tech support desk reaches out is the telltale sign. You must never engage with those emails or calls. Reach out to the relevant organization through usual channels and check — it’s almost 100% certain they’ll advise it’s a scam.
That simple warning from Google, that it will never reach out to discuss an account issue or security risk, would have stopped these recent attacks at source. It’s the single most critical piece of advice for Gmail’s 2 billion users right now. And in addition, you should also set up passkeys on your account given all this furor, as that means even if you’re tricked, your account should be protected from whatever comes next.