Google issues urgent warning over 'legit-looking' email scam

Google has issued a new warning over a which can bypass the. The attack is understood to use Sites - which creates websites - to spoof legitimate domain names and can evade detection from - a robust system used to filter for scams.

Gmail is one of the 's most-used email services with 1.8billion user accounts across the world, meaning this security breach could have massive ramifications for millions of users. A phishing attack is designed to motivate people into sharing personal information, including their bank details, passwords, credit card details, or personal data.

Details of the attack were first shared by Nick Johnson, a cryptocurrency influencer. Posting on , he said: "The first thing to note is that this is a valid, signed email—it really was sent from no-reply@google.com.

"It passes the DKIM signature check, and Gmail displays it without any warnings—it even puts it in the same conversation as other, legitimate security alerts."

READ MORE:

"The site's link takes you to a very convincing 'support portal' page. They've cleverly used http://sites.google.com because they know people will see the domain is http://google.com and assume it's legit."

The DKIM signature check is designed to filter email from suspicious origins, sending them directly to spam before the user has a chance to see them. However, the filter sees these emails as coming from a legitimate source as they've used a domain name generated by Google Sites.

Google told Newsweek it was taking steps to deal with the attack. A spokesperson said: "We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse.

"In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns."

In another statement on their website, Google says: "Be careful anytime you receive a message from a site asking for personal information. If you get this type of message, don't provide the information requested without confirming that the site is legitimate.

"If possible, open the site in another window instead of clicking the link in your email. Google will never send unsolicited messages asking for your password or other personal information."

Email users should be on guard over the coming weeks, especially of those asking for personal data. While many people will check the domain or the email address to decide whether it's legitimate, it's worth taking additional steps.

The previously published an article on how to check for various types of scams.