Gmail Users Warned: Fake Google Emails Are Fooling People
Protecting your online accounts is getting harder. Even though companies like Microsoft and Google are working to make email safer, hackers are finding new ways to trick people. This week, Google confirmed that some Gmail users are being targeted by a smart new scam. It uses fake emails that look like they came directly from Google—even passing all the security checks.
What’s Happening?
A software developer named Nick Johnson shared a warning on April 16. He got a scary-looking email from “Google” saying there was a subpoena (a legal order) for his account information. The email looked completely real. It came from “[email protected],” passed Gmail’s security checks, and was even grouped with other legit Google emails.
The link in the email led to what looked like a real Google support page—but it was fake. It was hosted on sites.google.com, which made it seem trustworthy. The page asked for login information and looked just like the real Google login screen. If you enter your details, hackers can steal your account.
Why This Scam Is So Dangerous
These emails passed Gmail’s own authentication tools, like DKIM and SPF. These tools are supposed to help users know if an email is real. But the scammers found a clever way around them.
The fake support pages were hosted on Google’s own platform (sites.google.com), making them extra hard to spot as fake. If you’re not very familiar with how Google logins usually work, it’s easy to fall for it.
What Is DKIM, SPF, and DMARC?
-
SPF checks if an email came from an approved server.
-
DKIM adds a digital signature to emails, kind of like a fingerprint.
-
DMARC decides what happens if an email fails the above checks—whether it gets sent to spam, rejected, or delivered.
These tools are meant to stop fake emails, but this attack proves that even with these systems in place, clever scammers can still sneak through.
Hackers Are Using Cheap Tools
Experts say that phishing kits (tools used to create fake emails and websites) can be bought for as little as $25 on shady websites or Telegram groups. These kits often come with:
-
Fake website templates
-
Scripts to steal data
-
Tools to block certain users and avoid being caught
-
Email templates and contact lists
These kits make it easy for even beginner hackers to launch convincing attacks. Google, Facebook, and Microsoft are the most copied brands in these scams.
What Google Is Doing About It
Google says it’s already working on a fix to stop these attacks. They are rolling out new protections that will block this method. Until then, users are advised to:
-
Turn on two-factor authentication (2FA)
-
Use passkeys for added protection
-
Be careful of emails, even if they look real
Melissa Bischoping, a security expert, explained that while some parts of this attack are new, using trusted brands to scam people is not. She said people need to be more aware than ever.
Key Takeaway:
If you get a security email from Google, don’t trust it right away, even if it looks real. Double-check the web address, don’t click on links unless you’re sure they’re safe, and always use strong security settings on your accounts.
