If you’ve received an email from the unsuspicious no-reply@google.com claiming to be from Google, urging you to “verify your account activity” or risk your Gmail being deactivated — don’t panic, and definitely don’t click on it. A new scam targeting Gmail users is doing the rounds, and it's worryingly convincing. The email looks like it comes straight from Google. It was first spotted and reported by X user Nick Johnson. “Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure” he said in a post.
The phishing email uses the company’s branding, has the correct logo, and includes language that sounds official. "The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts,” Johnson wrote in a post. But make no mistake — this is a phishing attack designed to steal your personal data.
The phishing email warns that your Gmail account is being reviewed due to recent activity. It asks you to verify your account by clicking on a “Review Activity” button. The message creates urgency, saying that failure to act will result in account suspension within 24 hours.
At the time of writing the story, Johnson has confirmed that Google has acknowledged the issue and will be fixing the bug. "Google has reconsidered and will be fixing the oAuth bug!"
How to Protect Yourself
To safeguard against such phishing attempts:
- Verify Email Sources: Be cautious of emails requesting sensitive information or urgent actions. Even if an email appears to come from a legitimate Google address, scrutinize its content and links.
- Check URLs Carefully: Before entering credentials, ensure the website's URL is correct. For Google services, the login page should be at accounts.google.com, not sites.google.com or any other variation.
- Enable Two-Factor Authentication (2FA): Adding an extra layer of security can prevent unauthorized access, even if your password is compromised. Forbes
- Use Passkeys: Consider using passkeys for your Google account, which provide strong protection against phishing attacks. Forbes+1PCMAG+1
- Report Suspicious Emails: If you receive a suspicious email, report it to Google. You can also check your account's recent security activity directly by visiting myaccount.google.com/notifications