Not all account security emails you get are legitimate. And if you see one from Google in your Gmail inbox, think twice. There’s a new Gmail scam doing the rounds—and it looks like it came straight from Google.

Your Next Google Security Email Can Be a Phishing Scam

The campaign came to light after developer Nick Johnson received a complex phishing email that seemingly came from Google. In an X thread, Johnson explained that the email was sent from no-reply@accounts.google.com, and it passed Google’s DKIM signature check, meaning it was signed by accounts.google.com.

Since the email was signed from a legitimate Google website, Gmail didn’t raise any flags. It claims that a subpoena was served on Google LLC requiring the company to produce a copy of the recipient’s Google account content.

The email contains a sites.google.com link to a fake support page. This fake page shows status for a legal investigation report with a documentation review attached and two buttons to upload additional documents or view the case. Clicking either of these buttons will take you to another fake sign-in page also hosted on sites.google.com.

Johnson didn’t proceed beyond this point, but it can be assumed that the fake log-in page is there to collect your Google account credentials before redirecting you to a real Google site or page to avoid detection. Since you already logged in to check your Gmail and hence, see the message, most Google pages should automatically open even if they’re behind a password, giving the illusion of a real login.

Even though the fake login page is an exact copy of the real Google page, it’s easy to tell the two apart if you look at the page’s URL. Legitimate Google sign-in pages are hosted on accounts.google.com instead of sites.google.com. There are two major giveaways in the phishing email as well.

First, the email header shows that even though the email was signed by accounts.google.com, it originated from a privateemail.com address and was sent to “me@googl-mail-smtp-out-192-168-142-125-38-prod.net.” The second clue is at the bottom of the email, which has a lot of whitespace followed by text saying “Google Legal Support was granted access to your Google Account,” followed by the email address mentioned above.

Google’s Domains Become Scammer Playgrounds

Considering the phishing email appears to originate from a legitimate Google site, the average Gmail user won’t think twice about following the instructions mentioned in the email. Additionally, since the fake pages are hosted on sites.google.com, people will see the legitimate google.com domain and assume that the page is real.

Related

This AI Gmail Scam Is Scaringly Realistic: Here’s How to Stay Safe

AI advancements are a double-edged sword, and this new Gmail scam proves it.

Google Sites is a legitimate Google service that lets you quickly create your own website and host it on Google’s domain. While this is a handy tool, it allows users to run external scripts and embeds of their choice, a major security hazard.

Using this service also makes building phishing pages extremely easy. Even if a page is taken down by Google’s abuse team, the scammers can quickly get another one up in no time. The email, however, is the bigger security issue on Google’s part.

Johnson submitted a bug report to Google about the email, but the company closed the issue, claiming the feature is working as expected and adding that they don’t consider it a security issue. This means we could see similar campaigns in the future. Keeping malicious email out is one of the reasons why I ditched Gmail for a more security-focused alternative.

Until Google sees things the right way, make sure you keep an eye out for such emails. If in doubt, check the email header and body for any weird email addresses or other pieces of text that aren’t usually found in official emails.