New e-mail trick targets Google users
Researchers have uncovered a clever phishing scam that uses Google’s tools to fool people into giving away their Google account passwords. Nick Johnson, a developer from the Ethereum Name Service, recently received an email that seemed to come from no-reply@google.com. The message said that police had requested access to his Google account, making it sound profound and urgent.
At first glance, the email looked completely real. Johnson said it was very convincing and warned that someone who isn’t deeply familiar with tech could easily fall for it.
Scammers created a fake Google account using a custom email address like me@domain. Then, they used one of Google’s tools to create a special app. Instead of giving it a normal name, they filled it with a fake legal message about the police subpoena.
When they set up this app, Google automatically sent a confirmation email to the new address. Since the scam message was used as the app’s name, that message showed up front and center in the email. Because Google itself generated the message, it looked completely official. It even passed all of Google’s security checks, so it didn’t end up in the spam folder. After receiving that email, the scammers forwarded it to their target.
Everything about the email looked legit. But if someone had scrolled to the bottom, they might have noticed it was meant for a different email address, not theirs, a small detail that could give away the trick. This type of scam works because Google checks that the email content is real, but it doesn’t always catch when the message is forwarded to someone else. The scammers are using that little loophole to their advantage.
To make things even worse, they also created a fake Google login page using Google Sites, a tool anyone can use to build a simple website. Because Google hosts it, the web address looks trustworthy. But anyone who types in their email and password on that page is handing it straight to the scammers.
