Google’s Gmail Warning—Do Not Respond To This Message
New warning as attacks soar.
Gmail is under attack. Google has confirmed that new AI-fueled campaigns are putting account holders at risk. The company has warned 2 billion users to check their security settings, adding passkeys and removing SMS two-factor authentication. But Google has also issued another warning — if you receive this message, you must not respond.
As Gmail users worldwide pore over the detail behind Google’s “no-reply” email attacks, trying to make sense of the technical vulnerabilities that have been exploited, the good news is you can ignore most of this. There’s only one thing you need to keep in mind to stay safe from almost all these new attacks. And Google wants everyone to know that.
“Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues,” a spokesperson asked me. It’s the same for Microsoft, Meta, Apple. And law enforcement. And your bank. And any organization that will be mimicked by scammers to steal your credentials, your money, even your identity.
The soaring scale of such attacks has just been highlighted by VIPRE’s “Email Threat Trends Report” for the first quarter of 2025. “For the first time,” it warns, “callback scams have made themselves a contender for top phishing vector, battling it out with links, attachments, and QR codes – and taking a surprising amount of the pie.”
Such attacks are pure social engineering. VIPRE says they “represent an ongoing trend of attackers favoring more low-tech, human-centric attacks as a way to get around sophisticated email scan technology… Not being able to catch social engineering email scams like these (that don’t rely on malware) is a significant weak spot.”
Callback email scam.
And that’s exactly what has driven the raft of Gmail warnings so far this year. Yes, phishing attacks with emails that perfectly replicate the style, imagery and typeface of a major brand or organization are a terrifying new threat to email users, but not calling back the number in one of those emails is the simplest possible mitigation.
“You’ve heard that cybercriminals look for the low-hanging fruit, VIPRE says. “With callback phishing, they take ‘not working harder than you have to’ to a new level by having you initiate the phishing phone call yourself.”
We have seen such warnings from the FBI, with “phantom hacker” attacks defrauding banking customers into moving money to fake safe harbors, the impersonation of law enforcement officers, and that myriad of tech support scams.
This was behind Kaspersky’s warning last week that “law enforcement agencies are interested in your account,” which made headlines with reports (1,2) of “hackers abusing Google Services to send malicious law enforcement requests.”
Google has pushed out a fix. “These protections will soon be fully deployed,”it says, “which will shut down this avenue for abuse.” But its advice is more straightforward. If you’re sent an email with a number to call back, contact the organization using usual, publicly available channels or your apps. Do not click, do not call, do not respond.