New password attack warning confirmed
Republished on June 3 with a new threat of a very different kind to your Gmail account, as one Google AI exec talks about getting rid of email.
You have been warned. Gmail attacks have reached a new level of threat. If you don’t act to secure your account you could lose it — at least long enough for irreparable damage to be done. This is the gateway to other Google accounts and services, so do not take risks. Fortunately, Google has just confirmed its warning to help you keep your account.
The latest such threat generated headlines when Instagram boss Adam Mosseri posted about “a sophisticated phishing attack,” with a call to say his “Google account was compromised” and “an email to confirm my identity,” he was then “asked to change my password using my Gmail app.” That’s the tell and it should have stopped there.
But understandably, Mosseri was “impressed” by the credibility of the attack. It will come as little surprise now, but the attacker’s email “came from forms-receipts-noreply@google.com and linked to which of course asked me to sign in.” This is fast becoming an alarming new normal.
This use of legitimate infrastructure to legitimize malicious emails, forms and websites has driven viral story after viral story in recent months. Just this week, another warning followed threat actors “leveraging tools from trusted tech giants to exploit users.” Cofense discovered Google tech being used to phish for Microsoft credentials, with “an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google’s suite of products.”
Google responded to Mosseri’s post on Threads, confirming both the password attack and the company’s critical advice to users. “Thank you for flagging — we suspended that form and site yesterday, and we constantly roll out defenses against these types of attacks. As a reminder: Google will never call you about your account.”
That’s the crux. If you receive an email or a call from Google to handle an account issue or change a password or other account settings, it’s a scam. It really is that simple. “Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues,” a company spokesperson asked me.
New Gmail password attack
The other advice is to remove password only access to your accounts and only to use two-factor authentication that links to your physical devices. Do not use SMS or email or any other message than can be intercepted. It needs to be a passkey (ideally) or an authenticator app at a minimum. If the latter, never enter codes into any popup or website you hsve not accessed through usual channels. No links or surprise popups.
As with other Google infrastructure attacks we have seen in recent months, including the infamous “no-reply@google.com,” the newsflow following Mosseri’s post (1,2) focuses on the cleverness of the attack and the difficulty in detecting it mid-flight. But just do those two things — set up passkeys and never respond to calls or emails from Google about account issues — and your account will be safe and secure.
But there’s a chance you won’t get to keep email anyway. If Google’s Demis Hassabis has his way, that is. “The thing I really want that we’re working on is next-generation email… I would love to get rid of my email.” The DeepMind CEO was speaking at this week’s SXSW Conference in Lindon, which is focusing on everything “from the future of AI and robotics, to fintech and the creator economy.”
“The prize-winning scientist is responsible for developing some of the most complex and sophisticated AI models the world has ever seen,” CNET points out. “His mission to render email (presumably Gmail?) — an annoyance of our own human invention — obsolete feels like small fry in comparison.” TL;DR, if anyone can, he can, I guess.
Echoes here of the raft of AI features making their way into the Gmail platform, giving users a huge decision to make. Is it sensible to let primarily cloud-based AI run riot across all past emails and even file storage to better craft replies with the right style, context and tone of voice? Do we even known how to make that decision yet?
But we need to. As I have advised repeatedly, be sure to understand the implications before enabling (or failing to disable) these new updates. Not by accident, Google’s other recent Gmail innovation — quasi end-to-end encryption — doesn’t work with its new AI features for security and privacy reasons. Take note.
