All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
Be extremely careful when clicking on messages in your Gmail inbox — especially those that appear to come directly from Google, security experts have warned. That's because a sophisticated new scam allows cybercriminals to send messages that appear to be sent from "no-reply@accounts.google.com".
That's dangerously close to the official "no-reply@google.com", which is an automated email address used by Google to send notifications, reminders, and other official updates.
What makes this attack particularly dangerous is that it passes Google's own email authentication protections. Experts at security firm Kaspersky describe the scam emails as looking "perfectly 'Googley'," showing the potential risk for millions of Gmail users who aren't scrutinising every detail in every email they receive.
Security researchers from Kaspersky have shared examples of the “to” and “mailed-by” fields in a genuine Google security alert
KASPERSKY PRESS OFFICE | GOOGLE
Cybercrooks appear to be leveraging this clever new "no-reply@accounts.google.com" method to send out phishing scams, which attempt to extract your Google Account username and password.
Google is aware of the scam and is busy working on a fix for the vulnerability in its OAuth system. However, it's unclear how long it'll take to resolve the issue and roll out the fix to 1.8 billion users worldwide.
In the meantime, security experts at Kaspersky have shared some crucial advice for Gmail users to keep themselves safe from the phishing scheme.
- Stay calm if you get an email like this. Begin by carefully examining all the email header fields and comparing them to legitimate emails from Google — you likely have some in your inbox. If you see any discrepancies, don’t hesitate to hit “Delete”.
- Be wary of websites on the google.com domain created with Google Sites — the company's free web-based platform for creating websites and online pages. Scammers have been increasingly exploiting this platform for a wide range of phishing schemes since these URL can look deceptively official at a glance.
- As a general rule, avoid clicking links in emails.
- Use a robust security solution that will provide timely warnings about danger and block phishing links.
Secure your accounts with 24/7 Dark Web monitoring and £1m to cover identity theft losses
NordProtect is an innovative new service from the team behind NordVPN that proactively monitors the Dark Web to ensure none of your personal information has been sold by hackers. It also offers up to $10,000 in cover for online fraud and $1million in identity fraud cover. NordProtect sends you timely alerts about various cybersecurity threats — from company-wide data leaks to stolen accounts
NordProtect
$11.69
$5.89
It's been a few months since security experts spotted the first examples of scam emails sent from the no-reply@accounts.google.com account. Software developer Nick Johnson brought the attack to the public's attention after sharing an email claiming a subpoena had been served that required Google to produce a copy of his digital account content. The email appears to be sent from "no-reply@google.com" — the address that sends out all official communications from the Californian company — and even passed Google's DKIM signature check, which normally filters suspicious emails.
The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com/GxlFR6ccLG
— nick.eth (@nicksdjohnson) April 16, 2025
When you receive one of these emails, it will even appear in the same conversation thread as other legitimate security alerts from Google — making it almost impossible to spot that it's a fake.
If you click on the link in these emails, you'll be taken to a "very convincing" login portal page hosted on sites.google.com. This is a crucial detail — the fake login page appears on a legitimate Google domain, making it extremely difficult to spot the scam.
Clicking on "Upload additional documents" or "View case" takes you to a signin page - again an exact duplicate of the real thing; the only hint it's a phish is that it's hosted on https://t.co/tl3ktQkM5X instead of https://t.co/kCLNEQcBQK. pic.twitter.com/RYCf8LKmTQ
— nick.eth (@nicksdjohnson) April 16, 2025
The only subtle clue that something is amiss is that it's hosted on sites.google.com instead of accounts.google.com — the website you're directed to whenever you need to login to a genuine Google account page. If you're unlucky enough to fall for this scam and enter your account credentials into the "convincing" login page set-up by cyber criminals, you'll instantly hand over your personal data.
Once the sophisticated crooks behind this scam gain access to your Google account username and password, they can then potentially access all the sensitive information stored in your Gmail account.
With billions of users worldwide, Gmail remains one of the most popular email services and a prime target for cyber criminals. This new attack method could potentially affect all 1.8 billion Gmail users globally.
Google has acknowledged the issue and is working on a fix.
Google Account brings together several services from the Californian company, including Gmail, Google Calendar, Google Meet, and more GETTY IMAGES Security experts warn that as AI technology advances, these sophisticated phishing techniques will become more widespread and harder to detect.
What makes this particular scam so alarming is that it exploits trust in Google's own infrastructure. Even tech-savvy users might struggle to identify this as a scam, putting countless individuals at risk of having their personal data compromised. The financial and privacy implications could be devastating.
Google has confirmed it is aware of the attack and is actively working to address the vulnerability.
"We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week," a Google spokesperson said. "These protections will soon be fully deployed, which will shut down this avenue for abuse."
Need a password manager?
- View Deal | Get started with 1Password for FREE
- View Deal | LastPass offers FREE 30-day trial
- View Deal | Get started with NordPass for FREE
However, the technology firm has not provided a specific timeline for when the fix will be completely rolled out globally.
Until then, all Gmail users are advised to remain vigilant and take additional security precautions.
In the meantime, Google is encouraging users to adopt stronger security measures to protect themselves. Here's what you should do:
- Enable two-factor authentication (2FA) on your Google account immediately.
- Set up passkeys, which provide stronger protection against phishing campaigns than traditional passwords.
- Avoid using SMS-based 2FA as this can be intercepted by malware like the recently discovered "Gorilla" Android threat.
- Consider using an authenticator app or Google prompts instead of SMS codes.
- Stop using your password to log in, even if you have 2FA enabled.
- Remember that physical device-linked security measures are much harder for attackers to bypass.
Beyond these technical measures, there are simple warning signs you should watch for to avoid falling victim to this scam. Never click on links in emails, even if they appear to be from Google. Instead, type the address directly or use your bookmarks.
LATEST DEVELOPMENTS
- Google Chromecast returns from the grave to challenge Fire TV Stick and Roku
- Best VPN deals
- Samsung launches new way to pay for its Galaxy smartphones in UK
- Best Sky Glass deals
- Watch exclusive Sky TV channels and everything on Netflix for just £12
Be especially wary of messages creating a sense of urgency or requiring immediate action. Remember that Google will never proactively contact you about security issues requiring immediate attention.
If an email mentions legal action, subpoenas or law enforcement requests, verify it through official Google channels before taking any action.
Always check the exact domain in any login page before entering your credentials.
