That Google email look real? Don’t click – it might be scam. Here’s how to tell

A sophisticated phishing scam is taking advantage of Google security flaws to convince people that the malicious emails and website are legitimate.

In a series of X posts spotted by Android Authority, developer Nick Johnson explained how he was targeted by a phishing attack that exploits flaws in Google’s own infrastructure. In his first post, Johnson includes a screenshot of the scam email claiming that Google had been served a subpoena requiring it to produce a copy of his Google account data.

Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts

The text of the email reads correctly; that is, it uses the right terms and doesn’t contain any typos or broken English. The message itself is considered valid and signed by Google. It’s sent from [email protected], a legitimate, automated company-used address. The email itself passes the DKIM signature check, which aims to verify the authenticity of a message. No other warnings appear, so this looks completely legitimate.

Clicking a Sites link in the email takes you to a support portal that looks like an actual Google page. The page is even hosted on Google Sites, a platform where people can create and run their own websites. Using such a platform adds legitimacy to the scam as people assume it’s the real deal.

Clicking a link to “Upload additional documents” or “View case” takes you to a sign-in screen, which also looks like it comes from Google. At this point, there is one tip-off that this could be a scam. As Johnson notes, the sign-in screen is hosted on Google Sites instead of a Google account page, where you normally log in.

That’s when Johnson ended the process. Had he entered his username and password, his presumption is that the attackers would have stolen his login credentials and used them to compromise his Google account.

“This recent phishing attack exploits legitimate Google features to send crafted emails that bypass some traditional checks, as well as leverage Google Sites to host spoofed pages and harvest credentials,” said Melissa Bischoping, head of security research at cybersecurity firm Tanium. 

“The email leveraged an OAuth application combined with a creative DKIM workaround to bypass the types of safeguards meant to protect against this exact type of phishing attempt,” explained Bischoping. “What makes this tactic particularly dangerous isn’t just the technical sleight of hand, but the deliberate use of trusted services to slip past both users and detection tools.”

The blame for this scam should obviously be aimed squarely at the scammers themselves. But Google is also on the hook, as this exploit is possible due to a couple of security vulnerabilities.

Also: The best VPN extensions for Chrome: Expert tested and reviewed

First, Google Sites is a legacy product that still allows for arbitrary scripts and embeds, according to Johnson. This weakness could allow an attacker to add arbitrary and malicious code and embedded objects to a web page. Second, closer inspection of the email reveals that it came not from Google but from a privateemail.com address. That raises the question of how and why Google signed it in the first place.

After receiving the scam email, Johnson said he contacted Google to alert them to the vulnerabilities. Initially, the company apparently brushed aside his concerns, claiming that all of this was intended behavior. But then Google reversed its stance and has since indicated that it will fix these bugs.

“More threat actors are deliberately choosing to leverage services that have very legitimate business use cases, underscoring the trend that, as detection tools get stronger, adversaries are looking for ways to evade detection altogether, not necessarily outsmart them with expensive exploits,” Bischoping said. “They’re focusing on the tools, sites, and functions organizations use in their daily work. By blending in with normal traffic, and the likelihood that a typical recipient won’t look that closely at a trusted domain like ‘google.com,’ threat actors have a high rate of success without significant investment.”

Thanks go to Johnson for not only catching this scam and warning people but for pressing Google to resolve the issue. Until a fix is rolled out, however, how can you protect yourself against such sophisticated phishing attacks?

Also: Data-stealing cyberattacks are surging – 7 ways to protect yourself and your business

Thomas Richards, infrastructure security practice director at security provider Black Duck, offers the following recommendations.

1. Beware of any email that urges immediate action and tells you you might face negative consequences. This is typically a sign that the email is malicious.
2. Check the “from” and ” to” email addresses. If the ” from” domain isn’t the actual company or the “to” recipient is not you, the email is likely a scam.
3. Avoid clicking on links in the email. In the attack described by Johnson, the malicious site is hosted on a Google domain. However, Google would never send you a legal complaint and then direct you to the Google Sites domain. If you’re in doubt, log into your Google account separately without clicking on any link and see if any messages or alerts are waiting for you.
4. Finally, run an online search for the content of the email. That can tell you if others have reported it as a scam or received a similar email.

Stay ahead of security news with Tech Today, delivered to your inbox every morning.