Google’s Gmail Warning—Hackers Gain Access To User Accounts

Do not lose your account — what to know.

dpa/picture alliance via Getty Images

Republished on August 18 with a new warning for Google users about the risks in their Gmail address and what they should do to secure their accounts.

Google has confirmed that Gmail attacks are surging, as hackers steal passwords to gain access to accounts. This also means a surge in “suspicious sign in prevented” emails, Google’s warning that “it recently blocked an attempt to access your account.”

Attackers know this — that Gmail user concerns are heightened by security warnings, and they use this to frame their attacks. “Sometimes hackers try to copy the ‘suspicious sign in prevented’ email,” Google warns, “to steal other people’s account information,” which then gives those hackers access to user accounts.

If you receive this Google email warning, do not click on any link or button within the email itself. Instead, “go to your Google Account, on the left navigation panel, click security, and on the recent security events panel, click to review security events.”

ForbesAmazon’s App Store Deadline—Stop Using Your Apps In 48 HoursBy Zak Doffman

If any of the events raise concerns — times or locations or devices you do not recognize — then “on the top of the page click secure your account” to change your password.

If you do click a link from within this email or any other email purporting to come from Google, you will be taken to a sign-in page that will be a malicious fake. If you enter your user name and password into that page, you risk them being stolen by hackers to hijack your account. And that will give them access to everything.

This is the same risk as the recent Amazon refund scam, which texts a link for a fake Amazon refund, but which actually steals login credentials. The answer is twofold. First, never click any such link in a text message or email. And second, add passkeys to your Google, Amazon and other accounts to stop such hijacks.

This exploitation of seemingly legitimate emails, messages and calls that perfectly mimic the content and style of the real thing has become an alarming theme in the last year. This also includes exploiting legitimate infrastructure to add authenticity.

Beyond adding passkeys and shoring up two-factor authentication with something other than SMS, the key rule is never to use links to access accounts. Always use your app or the sign-in page you usually use in your browser.

Account hijacks are painful, and while there are mechanisms to recover lost accounts, these can be time consuming and will not stop the content in your account from being stolen. It takes just seconds to secure your accounts — do that now.

ForbesMicrosoft Windows Warning—Do Not Save These Files On Your PCBy Zak Doffman

Those same account defenses will protect you from the latest Gmail attacks, which use fake voicemail notifications to steal login credentials to gain access to accounts. Malware analyst Anurag flagged the issue on Reddit, as a “seemingly harmless” email claimed “I had a ‘New Voice Notification’” with “a big ‘Listen to Voicemail’ button.”

After clicking the link, per Cybersecurity News, the attack “systematically captures and exfiltrates all entered data through encrypted channels. The system is designed to handle various Gmail security features, including: Primary email and password combinations, SMS and voice call verification codes, Google Authenticator tokens, Backup recovery codes, Alternative email addresses, Security question responses.”

Anurag says “this campaign is a good example of how phishing operations abuse legit services (Microsoft Dynamics, SendGrid) to bypass filters, and use captchas as both a deception tool and a barrier against automated security tools. Staying alert and performing deep inspection of suspicious emails is crucial. A single click on the Gmail phishing login could have led to stolen credentials.”

As I have warned before, what Gmail really needs is the equivalent to Apple’s Hide My Email that has been promised but thus far shows no signs of an imminent release. Absent that, it’s too easy for scammers and attackers to buy or steal your email address, pushing their threats directly into your inbox.

Yes, Google filters out huge volumes of such trash, but a vast amount still gets through. When it comes to the science of large numbers, even auto-deleting 90% or more of the dangerous emails sent when the volume is tens of billions is still not good.

ForbesDelete Any Message On Your Smartphone If You See This WordBy Zak Doffman

Android Police has now offered some good advice for Gmail users. Despite what some reports have suggested, Gmail’s “plus addressing ([email protected])” is no substitute for a genuine alias. “Relying on one Gmail address is a major security risk,” and “the + is still your real address, which is easy to guess and doesn’t fool spammers.”

The website suggests solutions from Proton, Firefox and DuckDuckGo to provide a more robust system, albeit if your Gmail address is already out in countless databases you won’t stop all the inflow. Personally I use DuckDuckGo, thus the [email protected] in my Forbes profile. It’s an excellent solution and I recommend it to others.

“Email aliasing masks your real email address,” Android Police explains. “Letting you generate unique, random email addresses for every website or service you sign up for. These addresses, called aliases, forward any incoming mail to your primary inbox, but the original sender never sees your real address. You can also shut off an email address if it starts receiving spam. The aliasing services also allow you to reply anonymously.”