Google Confirms Gmail Warning—How To Keep Your Email Account

You have been warned. Gmail attacks have reached a new level of threat. If you don’t act to secure your account you could lose it — at least long enough for irreparable damage to be done. This is the gateway to other Google accounts and services, so do not take risks. Fortunately, Google has just confirmed its warning to help you keep your account.

The latest such threat generated headlines when Instagram boss Adam Mosseri posted about “a sophisticated phishing attack,” with a call to say his “Google account was compromised” and “an email to confirm my identity,” he was then “asked to change my password using my Gmail app.” That’s the tell and it should have stopped there.

ForbesFBI And Police Warning—If You Get This Call, Hang Up ImmediatelyBy Zak Doffman

But understandably, Mosseri was “impressed” by the credibility of the attack. It will come as little surprise now, but the attacker’s email “came from [email protected] and linked to https://sites.google.com/view/pendingtickets, which of course asked me to sign in.” This is fast becoming an alarming new normal.

This use of legitimate infrastructure to legitimize malicious emails, forms and websites has driven viral story after viral story in recent months. Just this week, another warning followed threat actors “leveraging tools from trusted tech giants to exploit users.” Cofense discovered Google tech being used to phish for Microsoft credentials, with “an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google’s suite of products.”

Google responded to Mosseri’s post on Threads, confirming both the password attack and the company’s critical advice to users. “Thank you for flagging — we suspended that form and site yesterday, and we constantly roll out defenses against these types of attacks. As a reminder: Google will never call you about your account.”

That’s the crux. If you receive an email or a call from Google to handle an account issue or change a password or other account settings, it’s a scam. It really is that simple. “Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues,” a company spokesperson asked me.

ForbesTSA Warns Smartphone Users—You Must Bring This To The AirportBy Zak Doffman

The other advice is to remove password only access to your accounts and only to use two-factor authentication that links to your physical devices. Do not use SMS or email or any other message than can be intercepted. It needs to be a passkey (ideally) or an authenticator app at a minimum. If the latter, never enter codes into any popup or website you hsve not accessed through usual channels. No links or surprise popups.

As with other Google infrastructure attacks we have seen in recent months, including the infamous “[email protected],” the newsflow following Mosseri’s post (1,2) focuses on the cleverness of the attack and the difficulty in detecting it mid-flight. But just do those two things — set up passkeys and never respond to calls or emails from Google about account issues — and you will keep your account safe and secure.