Google’s latest Gmail update, which allows users to change their primary email address while keeping the old one as an alias, has become a goldmine for cybercriminals. Within weeks of its rollout, attackers have launched a wave of highly sophisticated phishing campaigns that mimic legitimate Google security notifications. The twist? These scams originate from Google’s own systems, making them nearly impossible for traditional spam filters to detect.
The tactic exploits the trust users place in Google’s infrastructure. Fraudulent emails—sent from addresses like noreply@google.com—urge recipients to ‘verify’ their account due to an ‘address change’ or ‘security update.’ Clicking the embedded link doesn’t take victims to a Google page but to a deceptively authentic fake site hosted on sites.google.com, a legitimate (and often overlooked) Google service for user-generated content. Once credentials are entered, attackers gain full access—not just to Gmail, but to all linked services, from Drive and Photos to third-party accounts tied to the same login.
The Myth: ‘This looks like a real Google email—it must be safe.’
Most users assume that any email bearing Google’s branding or sent from a @google.com address is genuine. The reality is far more dangerous: scammers are abusing Google’s own systems to send these messages. Earlier warnings from security firms like Check Point Research had already flagged similar attacks before the feature’s official rollout, suggesting that criminals were reverse-engineering Google’s workflows to automate phishing emails through legitimate infrastructure. Google has confirmed that its systems were not breached, but the damage is already being done.
What’s Really Happening
Here’s how the scam unfolds
- Fake urgency: Emails claim your account will be ‘locked’ or ‘deleted’ unless you act immediately, playing on fear to override skepticism.
- Spoofed sender: The ‘From’ address mimics Google’s official domains, and the email may include real Google logos or styling.
- Fake verification page: The linked site—hosted on
sites.google.com—replicates Google’s login interface down to the smallest detail, including auto-fill fields and security badges. - Credential theft: Any password entered is captured and used to hijack the account, often within minutes of submission.
The use of sites.google.com is particularly effective because it’s a legitimate Google service, not a third-party domain. Many email security tools whitelist it, allowing these phishing pages to slip through unnoticed.
How to Protect Yourself
Google’s advice remains the same: never click links in emails—even if they appear to come from Google. Instead, manually navigate to account.google.com to check for any real security alerts. Here are key steps to take
- Enable two-factor authentication (2FA): Even if attackers steal your password, 2FA adds a critical layer of protection.
- Use a password manager: Complex, unique passwords for Google accounts reduce the risk of credential stuffing.
- Verify before you click: Hover over links to reveal their true destination. If it’s not
google.com, it’s a scam. - Check your security dashboard: Regularly review ‘Security Checkup’ in your Google account settings for unfamiliar devices or login attempts.
While Google has taken steps to mitigate abuse of its infrastructure, the onus remains on users to stay vigilant. New features—no matter how convenient—often attract criminals looking for weak points. The lesson? Treat every unsolicited email, even those with Google’s branding, with the same caution you’d reserve for a suspicious text message.
For now, the best defense is skepticism. If an email claims to be from Google and demands immediate action, assume it’s a scam—because in this case, the odds are stacked against the victim.
