If you're one of the 1.8 billion people worldwide who rely on Gmail to send and receive emails — you must be on alert for a dangerous new scam. Hackers are leveraging Google Gemini, the cutting-edge Artificial Intelligence (AI) tool built into Gmail and other Google-built apps, to trick account-holders into handing over sensitive information.
One of the standout features of Google Gemini is the ability to summarise incoming emails in bullet points. The AI can also suggest actions based on the content of the email, like adding an event to your calendar.
Security researcher Marco Figueroac has discovered that cybercriminals can manipulate the Gemini AI assistant to display fake warnings in these AI-generated summaries.
Dubbed a “prompt-injection” attack, it tricks Google Gemini into warning that your password has been stolen and urging you to make a call to a fake support number, also fed to the AI by the hackers.
0DIN.AI | MARCO FIGUEROA
|Security researcher Marco Figueroa spotted the problem and flagged concerns to the Google Gemini team. Since the false information appears within the Google Gemini interface, it adds a strong sense of authenticity
These fake warnings can appear alarmingly legitimate.
In one demonstration from Figueroac, Gemini stated: "WARNING: Gemini has detected that your Gmail password has been compromised. Please call us immediately," followed by a phone number and reference code.
While you're unlikely to trust a warning like that within an email, these AI-generated summaries are much more convincing since they appear to come from Google's own systems.
"Since the message would come from a trusted source, it increases the chances of success," Figueroa explained.
0DIN.AI | MARCO FIGUEROA
|Tricking Google Gemini into summarising false information can be as simple as writing-out the fake details in a font that's invisible to the naked eye
How are hackers able to manipulate Google Gemini?
The technique behind a “prompt-injection” attack is deceptively simple. It works by embedding hidden instructions for the AI into the body of an email that trick Gemini into generating an entirely false security alert whenever you use the summary feature.
Hackers embed these malicious instructions using HTML and CSS tricks that make the text invisible to you.
Cybercrooks set the font size to zero or colour the text white against a white background, making it completely (almost) undetectable when you read the email as normal.
The deception works particularly well because you're accustomed to relying on Gemini for legitimate email management tasks. When you see a security alert in an AI summary rather than the email itself, you're more likely to believe it's an official Google warning rather than recognising it as a phishing attempt.
However, when you ask Gemini to summarise the message, all the AI is doing is reading everything in the message, processing the text, and summarising it in as few words as possible. The invisible prompt instructs Gemini to generate fake security warnings that appear in your summary panel.
These emails bypass spam filters because they don't contain suspicious links or attachments — just hidden text that only the AI can see. You won't notice anything unusual in the email body, but Gemini will "faithfully obey" the concealed instructions, security researcher Marco Figueroac explained.
A spokesperson for Google explained to PC Mag: "We are constantly hardening our already robust defenses through red-teaming exercises that train our models to defend against these types of adversarial attacks."
The company told the publication that its engineers have patched the specific threat demonstrated by researchers.
Google has reassured that it hasn't encountered any real-world examples of cybercriminals using this specific method to launch succesful attacks against Gmail account holders. With billions of users worldwide, Gmail remains one of the most popular email services and a prime target for cyber criminals.
The Californian company has published a blog post that details its ongoing efforts to prevent against "prompt injection"-style attacks as it increasingly relies on its Google Gemini service across Gmail, Google Sheets, Google Slides, and other apps within its Workspace suite.
Google states: "We continue working to make upcoming Gemini models inherently more resilient and add additional prompt injection defences directly into Gemini later this year."
LATEST DEVELOPMENTS
- Sky Mobile cuts newest iPhone to its 'lowest ever price'
- Best VPN deals
- Sky TV's record-breaking Wi-Fi 7 broadband launches in UK
- Samsung cuts £200 from Galaxy Z Fold 7 and Galaxy Z Flip 7 prices
- Virgin TV viewers warned BBC iPlayer could STOP working this month
- Best Sky Glass deals
Security experts recommend several actions to safeguard your account:
- Never trust urgent security warnings that appear in AI summaries
- Google will never tell you to change your password via a Gemini summary
- Always check the original email if a summary contains unexpected warnings or phone numbers
- Be suspicious of any summary requesting you call support numbers or take immediate action
- Verify any security concerns by logging directly into your Google account through official channels
- Remember that Google has no direct phone support number for Gmail