Fake Google Emails Are Fooling Gmail Users: Here’s How to Stay Safe

Gmail users are being targeted in an alarmingly convincing phishing scam that leverages real Google email addresses and cloned support pages to steal login credentials. What makes this particular scam dangerous is its ability to bypass standard security checks, making the emails look like they're genuinely from Google.

The scam came into the spotlight after software developer Nick Johnson shared his experience on X (formerly Twitter).

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: pic.twitter.com/tScmxj3um6

— nick.eth (@nicksdjohnson) April 16, 2025

He received an email from the verified address no-reply@google.com alleging a subpoena had been issued for his Google account data. The message included a link that looked like an official Google support page — but clicking it led to a meticulously cloned Google sign-in page hosted on a subdomain of Google itself.

Even Google's own security checks were tricked

What sets this phishing campaign apart is that it cleverly navigates past authentication protocols like DKIM (DomainKeys Identified Mail), which are meant to flag suspicious messages. Even more troubling is the fact that the fraudulent message appeared in the same Gmail thread as legitimate security alerts from Google, increasing the odds that users would trust it.

Once on the fake sign-in page, users were prompted to “protest” the alleged subpoena, but any credentials entered would go straight into the attackers’ hands, giving them full access to the victim’s emails and personal data.

Google confirms the threat, urges users to act

Google has confirmed the phishing attack, stating that it “exploited OAuth and DKIM mechanisms in a novel way.” The company added that it is “rolling out protections” to address the issue and expects them to be “fully deployed” soon.

In the meantime, Google is encouraging all users to strengthen their account security by enabling two-factor authentication and switching to passkeys, which are harder for attackers to steal.

How to protect yourself right now

While Google works on a fix, users are strongly advised to avoid clicking on links in unexpected or unsolicited emails, even if they appear to come from Google. The safest course of action is to visit the official Google website directly and log in from there to check for any real alerts.

This incident serves as a stark reminder that even tech giants' own platforms can be manipulated for phishing. Until the security patch is fully rolled out, a little extra scepticism and a few more clicks could be the difference between staying safe and losing control of your account.