Google recently introduced an option for users to update their Gmail addresses, and cybercriminals are already taking advantage of it to launch attacks.
This update keeps the original email as an alias, ensuring messages still arrive in the user's inbox. It's designed mainly for those looking to switch from an outdated address.
Experts in cybersecurity are alerting people that fraudsters are using this addition to create convincing phishing messages dispatched through Google's official channels, with the goal of seizing full control of accounts.
These deceptive messages claim to come from Google and discuss a supposed address modification or required verification step. They seem trustworthy since they use Google's infrastructure and show authentic sender addresses like [email protected].
The emails typically reference a security step, like setting up a new address or verifying identity. They include a link that appears to direct to Google's support or security area, but it actually routes users to bogus sites prompting for password entry.
The scheme is especially tricky because perpetrators employ the sites.google.com domain, a real Google tool for creating user sites that's often not flagged by spam detectors. The imitation pages closely mimic official Google interfaces, appearing legitimate initially.
Successful account takeovers pose major risks. Beyond Gmail, linked services like Google Drive, Photos, and Calendar become vulnerable. If the account links to external platforms such as social media, e-commerce sites, or banking apps, intruders could access those too, creating widespread fallout.
Check Point Research identified an initial surge of such incidents toward the close of 2025, prior to Google's broader public rollout of the feature.
During that period, the fraudsters leveraged a tool for automating workflows to distribute phishing via Google's valid setup. Google confirmed no breach of its systems occurred and implemented safeguards.
Even with their polished look, these fake emails reveal telltale signs for the vigilant. Common indicators include unexpected urgent language or requests for sensitive info.
Google advises against following links in emails and urges direct account checks for alerts. Users should visit the Google account page manually through a browser. Legitimate notifications detail specifics like access device, timing, and location.
Staying cautious with unexpected messages is crucial. Activate two-factor authentication on your Google account to block unauthorized entry even if the password is compromised.
Routinely review security options, choose strong unique passwords, and avoid submitting credentials through email links. If unsure, access the official Google site directly, sign in, and verify any needed actions.
Criminals frequently exploit fresh features for phishing schemes. It's essential to stay alert to supposed security alerts, regardless of their apparent legitimacy.