Google Warns Gmail Users—Hackers Gain Access To Accounts
Do not lose your account — what to know.
dpa/picture alliance via Getty Images
Google has confirmed that Gmail attacks are surging, as hackers steal passwords to gain access to accounts. This also means a surge in “suspicious sign in prevented” emails, Google’s warning that “it recently blocked an attempt to access your account.”
Attackers know this — that Gmail user concerns are heightened by security warnings, and they use this to frame their attacks. “Sometimes hackers try to copy the ‘suspicious sign in prevented’ email,” Google warns, “to steal other people’s account information,” which then gives those hackers access to user accounts.
If you receive this Google email warning, do not click on any link or button within the email itself. Instead, “go to your Google Account, on the left navigation panel, click security, and on the recent security events panel, click to review security events.”
If any of the events raise concerns — times or locations or devices you do not recognize — then “on the top of the page click secure your account” to change your password.
If you do click a link from within this email or any other email purporting to come from Google, you will be taken to a sign-in page that will be a malicious fake. If you enter your user name and password into that page, you risk them being stolen by hackers to hijack your account. And that will give them access to everything.
This is the same risk as the recent Amazon refund scam, which texts a link for a fake Amazon refund, but which actually steals login credentials. The answer is twofold. First, never click any such link in a text message or email. And second, add passkeys to your Google, Amazon and other accounts to stop such hijacks.
This exploitation of seemingly legitimate emails, messages and calls that perfectly mimic the content and style of the real thing has become an alarming theme in the last year. This also includes exploiting legitimate infrastructure to add authenticity.
Beyond adding passkeys and shoring up two-factor authentication with something other than SMS, the key rule is never to use links to access accounts. Always use your app or the sign-in page you usually use in your browser.
Account hijacks are painful, and while there are mechanisms to recover lost accounts, these can be time consuming and will not stop the content in your account from being stolen. It takes just seconds to secure your accounts — do that now.