Researchers have uncovered a clever phishing scam that uses Google’s own tools to fool people into giving away their Google account passwords. Nick Johnson, a developer from the Ethereum Name Service, recently received an email that seemed to come from no-reply@google.com. The message said that police had requested access to his Google account, making it sound serious and urgent.
At first glance, the email looked completely real. Johnson said it was very convincing and warned that someone who isn’t deeply familiar with tech could easily fall for it.
Scammers created a fake Google account using a custom email address like me@domain. Then, they used one of Google’s tools to create a special app. Instead of giving it a normal name, they filled the name with a fake legal message about the police subpoena.
When they set up this app, Google automatically sent a confirmation email to the new address. Since the scam message was used as the app’s name, that message showed up front and center in the email. Because Google itself generated the message, it looked completely official. It even passed all of Google’s security checks, so it didn’t end up in the spam folder. After receiving that email, the scammers forwarded it to their target.
Everything about the email looked legit. But if someone had scrolled to the very bottom, they might have noticed it was meant for a different email address, not theirs, a small detail that could give away the trick. This type of scam works because Google checks that the email content is real, but doesn’t always catch when the message is being forwarded to someone else. The scammers are using that little loophole to their advantage.
To make things even worse, they also created a fake Google login page using Google Sites, a tool anyone can use to build a simple website. Because it’s hosted by Google, the web address looks trustworthy. But anyone who types in their email and password on that page is handing it straight to the scammers.