If You Get This Message, Your Google Account Is Under Attack
Google accounts are under attack
VCG via Getty Images
Google has confirmed that user accounts are under attack. And while the spiraling threat from infostealers is now out of control, almost 40% of “successful intrusions” come from phishing attacks that steal user names and passwords.
While Gmail accounts are prized above all, once a hacker has control of your Google account credentials they can access all the Google services you use, as well as any other third-party apps and services that rely on your Google credentials to sign-in.
Old school phishing attacks using poorly written messages and emails are being replaced by nicely written, grammatically correct lures courtesy of AI. And when you click a link through to a fake login page, it’s now a perfect replica of the real thing.
Attacks even include hijacks of Google’s own suspicious sign-in warnings and its “no-reply” email addresses, plus the exploitation of legitimate infrastructure such as Forms, Sites and even Translate. If it’s out there, one bad actor or another will try to use it.
Malicious voicemail.
Courtesy of Redditor anuraggawande, there’s even a malicious voicemail doing the rounds — or at least a voicemail notification. “I received an email claiming I had a ‘New Voicemail Notification’. The email included a big ‘Listen to Voicemail’ button.”
The link “used a legitimate Microsoft Dynamics domain to host the initial page, instantly boosting credibility.” But “after solving the captcha, the site redirected to a Gmail login clone hosted on the same malicious domain and not to accounts.google.com. The page was pixel-perfect, ready to steal credentials.”
Typically now, this attack looked “looked professional and harmless, but just as with any message, email or notification from Google or any other provider, you should never log into any website or platform from a link. Always use your regular methods of entry to access your accounts — apps or websites. The other critical advice is to use a non-SMS form of two-factor authentication and to add a passkey.
As Google explains, “passkeys offer users a convenient and secure authentication experience across websites and apps. Unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device.”