Google has issued an urgent alert to its 1.8 billion Gmail users following confirmation of a highly sophisticated phishing attack aimed at stealing personal information.
The threat was first brought to light by Nick Johnson, a developer for the cryptocurrency platform Ethereum. On Wednesday, Johnson shared on X (formerly Twitter) that he had been targeted by a convincing scam exploiting a vulnerability within Google’s infrastructure.
“Recently I was targeted by an extremely sophisticated phishing attack,” he posted. “It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more.”
How the Scam Works
Johnson shared a screenshot of the phishing email he received, which appeared to be from a legitimate Google address and claimed he had been served a legal subpoena related to his Google account. The message instructed him to submit additional information through a provided link.
The only subtle red flag: the link directed him to a sites.google.com domain rather than the official accounts.google.com.
Clicking the link led to what looked like a Google support portal, complete with duplicate “Upload additional documents” and “View case” buttons that mimicked real Google pages. These then prompted him to sign into his Google account, which would presumably allow hackers to steal login credentials.
“This email even passed DKIM verification — which means it appeared completely legitimate, with no warnings from Gmail,” Johnson noted. “It was even shown in the same thread as previous genuine security alerts.”
Google Responds
In a statement to DailyMail.com, a Google spokesperson confirmed the phishing campaign, stating:
“We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.”
Google also emphasized the importance of two-factor authentication (2FA) and passkeys to help users protect their accounts from similar attacks.
“Google will never ask for your password, one-time codes, or request confirmation via push notifications. We also won’t call you.”
The company added that the mechanism used in this phishing attack has since been disabled and reminded users to review recent guidance on how to spot email scams.
Why This Scam Works So Well
This phishing attack is particularly dangerous because it uses legitimate Google infrastructure — in this case, Google Sites — to host malicious content. Many users trust the google.com domain and may not notice the subtle differences.
If a user enters their password into the fake site, hackers can gain immediate access, especially if the user doesn’t have additional security measures like 2FA or a passkey in place.
Unlike passwords, passkeys are cryptographic credentials that work only on a specific device, making them far more secure and virtually impossible to phish.
How to Protect Yourself
Even though phishing scams are becoming harder to detect, there are still common warning signs:
Generic greetings instead of using your name
Urgent messaging that pressures you to take immediate action
Suspicious links asking you to enter personal information
While Google does send users email notifications about important account updates or government data requests, it will not ask for sensitive information via links or attachments.
According to Google’s official policy:
“When we receive a request from a government agency, we notify the user before disclosing any information — unless legally prohibited. In such cases, we’ll notify the user as soon as the legal restriction is lifted.”
To stay safe, users are advised to:
- Never click suspicious links in emails
- Verify the domain before entering any information
- Use two-factor authentication and passkeys
- Report phishing attempts directly to Google
If you receive a message claiming to be from Google that asks for your login details, password, or any personal information — don’t engage. Instead, navigate directly to Google’s website and check for notifications through your account dashboard. Photo by Stock Catalog, Wikimedia commons.