World's most popular search engine, Google has issued a crucial warning for all Google Mail (Gmail) users, highlighting a new phishing scam that is using sophisticated tactics to bypass security checks and trick users into handing over their Google account credentials. The campaign is using legitimate-looking emails that appear to come from trusted sources like Google, making it difficult for users to spot the scam.

What Is Gmail Scam?

The phishing scam came to notice when software developer Nick Johnson shared his experience on social media platform X (Twitter). He received an email from "no-reply@google.com" that looked like an official Google communication. The email claimed that a subpoena (a legal document) had been issued for his Google account data and provided a link to a Google support page. However, the link did not lead to an official Google page but to a fake phishing website hosted on Google's own platform, sites.google.com.

The phishing email passed Google's security checks, including the Domain Keys Identified Mail (DKIM) authentication. It was even delivered in the same Gmail conversation thread as real security alerts from Google, which made it appear highly credible. When users clicked the link, they were directed to a cloned Google sign-in page, designed to capture their login credentials.

It takes advantage of Google's trusted domains, which have been hijacked to deliver malicious content. Even with advanced security mechanisms in place, such as DKIM, threat actors have found ways to make their emails appear legitimate. This makes phishing attempts harder to detect, even for users who are otherwise cautious about their online security.

Google's Response on Gmail Phishing Scam

Alphabet Inc. owned company has acknowledged the phishing scam and confirmed that it exploited OAuth and DKIM mechanisms in an ethical way.

The company stated that it is actively rolling out protections to mitigate the threat. Google also mentioned that the fix would be fully deployed in the coming days. In addition, Google has urged users to enable two-factor authentication (2FA) and use passkeys to enhance the security of their accounts and prevent unauthorized access.

How to Protect Your Gmail Account From Phishing Scam?

While Google is working to roll out fixes for this issue, Gmail users are advised to be extra cautious. Below are the some precautionary steps to protect your gmail account.

- Avoid To click on any suspicious links: Be cautious when you receive any unsolicited emails, especially those asking for personal information or urgent actions. Always avoid clicking on links in such emails, even if they appear to come from trusted sources like Google.

- Type URL instead of clicking directly: If you receive a suspicious email that appears to be from Google, do not follow any links provided in the message. Instead, go directly to the official Google website by typing the URL into your browser.

- Enable Two-Factor Authentication (2FA)in your system: Enabling two-factor authentication is one of the best ways to protect your Gmail account. It adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device, whenever you log in from an unrecognized device.

- Use Strong and Unique Passwords: Make sure that your password combines uppercase, lowercase, numbers, and special characters. Avoid using easily guessable passwords or locks.

- Change your password regularly. It is also a good security practice.

- Enable Passkeys for Extra Security: Google recommends enabling passkeys as an additional security feature. Passkeys ensure that your account is protected even if your password is compromised, making it more challenging for hackers to gain unauthorised access.

By following these tips, Gmail users can significantly reduce their risk of falling victim to phishing scams and other cyber threats. Remember, staying vigilant and taking simple precautions can go a long way in keeping your account safe.