Google’s Gmail Upgrade—Why You Need This New Email Address
You need to change how you use Gmail.
Republished on May 27 with new reports into email-based attacks and a useful security test for users to see the tactics now being used against them.
Google’s 2 billion Gmail users have a critical decision to make. But so does Google. And the tech giant’s might be the more critical. Gmail’s latest upgrade gives Gemini free reign over all your past emails and even your stored files. If you let it. That’s the decision you need to make. As for Google, it’s sitting on a critical decision of a different kind.
“Gmail is getting personalized smart replies that incorporate your context and tone,” Google confirmed last week. “Draft replies will sound authentically like you and match your typical tone, as the responses are created from past emails and Drive files.”
But as I’ve already warned, “we are still at the early stages of these changes, and we have no clue yet as to the privacy and security risks.” There is also an awkward disconnect: Gmail’s recent encryption upgrade clashes with its AI upgrades.
What Gmail users really need is Google’s ode to Apple’s HideMyEmail. which “is a service that lets you keep your personal email address private, whether you’re creating a new account with an app, signing up for a newsletter online, making a purchase with Apple Pay or sending an email to someone you don’t know well.”
For iPhone users, it has been described as “the best Apple product you aren’t using.” Spam is out of control despite AI hunting and filtering, the problem remains. But there’s a more important reason for this email address shielding.
Per How-To-Geek this weekend, “I seem to get emails almost every week informing me that one of my online accounts has been part of a data breach… That’s why using a service such as Apple’s Hide My Email is more important than ever.”
That’s fine for iPhone and Apple Mail, but what about Android and Gmail? There is a solution. First revealed last November, Android’s Shielded Email feature does the same as HideMyEmail. In late February, Android Authority revealed details of the new feature following a Play Services APK teardown.
Shielded Emails “will be part of Google’s Autofill system. Just think of all the apps or screens where Google pops up with its suggested autofill details based on your saved passwords and usernames; all of these should be the new home for Shielded Email.”
When the team “tried to sign up for Amazon,” they saw that “Gboard’s smart autofill bar not only suggested the usual email address it knows we usually use but also a new Use Shielded Email option.” It’s not yet live and so didn’t work. It will require email server-side integration if some kind. But it’s clearly in late-stage development.
With headlines still circulating after vpnMentor’s Jeremy Fowler discovered a data breach exposing “184 million logins and passwords,” the need for Shielded Email that’s actually used — and HideMyEmail that’s actually used — has never been greater. “I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts.” This included “bank and financial accounts, health platforms, and government portals from numerous countries.”
Masking email addresses makes it more difficult for attackers to cross-reference your data and passwords and to socially engineer attacks in your name. It lets you turn off compromised email addresses. In tandem with strong, unique passwords and two-factor authentication (2FA), or ideally passkeys, it shuts doors into your life now wide open.
One of the most critical weaknesses in email is your address acting as the primary identifier for so many accounts. If this is masked you likely cannot be tracked across sites. But if you’re not using it, none of that matters. So while Google must decide on its release, when it comes you should use new addresses for all new platforms you use.
With perfect timing, coming just after Google’s new Gmail AI announcements, Android Authority provides a different perspective, with a “Survey [that] shows Gmail users would gladly sacrifice features for more privacy… Privacy seems to become a bigger deal every year as an increasing number of people aren’t cool with their data becoming a commodity. Proton Mail purports to offer more privacy than Gmail — unlike Google, even the Proton team can’t take a look at your inbox. As such, privacy-conscious users should want to flock to Proton Mail, right?” To find out, they polled their readers.
The results are interesting. “Around 73% of you said you would use Proton Mail instead of Gmail, with more than half of those people saying that they’d even pay for it. Less than 27% of you said you were happy with Gmail.” I suspect this would be very different across a larger base, but it does highlight the current Gmail tension that was brought to the fore by Google announcing Gemini can now access all your past emails and even Google Drive to better mimic your style and tone.” In the privacy world, that’s definitely what you mighty call a mic drop moment.
As PC Mag warned “I gave Gemini access to my Gmail, and it weirds me out.” And while this focuses on unexpected results, “Google collects a variety of information when you use Gemini, which includes your entire chat history. The company uses this information to improve its products and train its large language models. However, Google doesn’t use Gemini data from Google Workspace apps, like Gmail, for training, ad targeting, or selling. I appreciate the guarantee, but I don’t fully trust Google.”
All of this simply reflects email’s identity crisis. How does it better ape secure messaging platforms while remaining an open standard? Can it secure content while acting as a shop window for cloud-based AI innovations? And will the imminent tidal wave of AI-fueled phishing and malware attacks ever be kept at bay?
It isn’t just Gmail, of course, that is now at risk given the use of email as both a primary identifier and a means to address phishing attacks and then cross-reference the credentials that are returned. Per Cybersecurity News, “a sophisticated phishing campaign [is] targeting Italian and U.S. users through fake Microsoft OneNote login prompts designed to harvest Office 365 and Outlook credentials.”
In this new attack, “victims receive emails with subject lines like ‘New Document Shared with you,’ directing them to fake OneNote pages that appear legitimate. The malicious pages present multiple authentication options, including Office365, Outlook, Rackspace, Aruba Mail, PEC, and other email services.”
And on the subject of documents, few brands have been more mimicked in recent phishing attacks than Docusign, where again the primary direct is email based. ESET warns “victims will typically receive an email with a spoofed Docusign envelope requesting that they click on a large yellow box to ‘review document’.”
Sometimes, the malicious link is hidden behind a QR code in the attachment. But the objective is the same, to direct users to a fake login page for their email services, which will steal their credentials and potentially even bypass two-factor authentication.
As Deloitte points out, AI is a game-changer for such email-based attacks and has accelerated the need for users to change their account settings, their behaviors and the email addresses they give away much more freely than they would cell phone numbers. “Sophisticated phishing attacks are harder to detect by nature,” the firm says, “and sometimes even careful users can still fall into the trap.”
Deloitte says that email users are now experiencing an ‘infobesity’ through their received emails, making them less cautious to detect phishing attempts. Cybercriminals are resourceful when deceiving users by crafting content and evading detection patterns (customization of content, copy of graphical charter, etc.). Cybercriminals also take advantage of the information users share about themselves through social media, to create tailored and more authentic email templates.”
“Phishing attacks attempt to trick unsuspecting users into revealing personal or financial information,” Google says, “often by mimicking content from well-known, trusted companies. AI is already making phishing attacks more sophisticated, personalised and common. Think you can tell what’s real or fake?” You might be surprised. You can put yourself to the test with Google’s Phishing Quiz, which mimics many of the tactics being used today. See how you get on.
Deloitte warns that “many users are simply not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information. Even worse, some organizations are not considering to include user training and awareness as part of their defense strategy.”
All these attacks start with an email address. Per ExpressVPN, “with so many online platforms requiring email addresses, tools like Shielded Email aim to address growing concerns about privacy and data security. Email aliases also let users trace which services might be sharing their information.”
Email needs a rethink. And in the meantime your account needs a rethink as well. Use the new Shielded Email feature as and when it becomes available, but also give some thought to the longevity and consequent vulnerability of the email address you use today, the primary identifier driving all these attacks. It might be time to open a new account and slowly shift from old to new, leaving the baggage behind.