All Gmail users need to be on alert as this scam uses Google's own infrastructure to wipe them out
I'll admit it. I'm old enough to remember when the only phones we had were landlines. There were no cellular networks and making a call in New York City required you to dial (actually dial) a phone number like Murray Hill (MH) 9-5000. While smartphones pre-date the iPhone, the world didn't change until the late Steve Jobs held the iPhone aloft on January 9th, 2007. As excited as Jobs was about the prospects for the iPhone, I wonder if a forward-thinking man like him could grasp what he was about to unleash on the world.
Not all of the changes that the iPhone and subsequently Android phones brought to us were good. For example, we now have to worry about phishing emails, smishing texts, and other scams that are centered around smartphone use and scamming smartphone users. The latest warning comes from a software developer about a "sophisticated" phishing scam that attacks Gmail users.
A phishing scam so devious that it uses Google's own infrastructure to rip you off
Software developer Nick Johnson alerted others on "X" about a phishing scam so devious that it uses Google's infrastructure to make it seem legit. Johnson was nearly a victim of this attack as he noted in his tweet. "Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure and given their refusal to fix it, we're likely to see it a lot more."
The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings - it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com/GxlFR6ccLG
— nick.eth (@nicksdjohnson) April 16, 2025
His tweet included an image of the email he received which states that Google LLC was issued a subpoena by a law enforcement agency seeking information contained in his Google account. We don't have to tell you what kind of personal information could be discovered if you turn this information over to a scammer. But the major problem here is that as Johnson points out in a follow-up tweet, the email he received is a valid, signed email sent from no-reply@google.com.
In a statement, Google said, "We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.
The signature passes signature checks and on Gmail, it is displayed without any warnings. According to Johnson, "It even puts it in the same conversation as other, legitimate security alerts." There is a discrepancy that you can look for that signals that the email is a scam. The bogus email is hosted on "sites.google.com." If legit, the email would be hosted on "accounts.google.com."
Here is one thing you can do to stop texts with your 2FA codes from getting stolen
We don't recommend clicking on the email. If you do disregard that advice, you will be sent to a bogus support portal that uses perfectly crafted Google login pages. This page is created to trick users to hand over their login credentials and personal information like passwords, social security numbers, bank accounts and other data. This information can be used to wipe out your financial accounts.
You can help yourself from becoming a statistic by not using your password to open your Gmail account even if you use two-factor authentication (2FA). Actually, with text based 2FA, it seems that users are being tricked into turning over their usernames and passwords allowing these thieves to use stolen passwords to steal the 2FA codes as they are sent to the victim. To prevent that from happening, you should use a passkey instead of a password for your email accounts.
A passkey uses a private key stored on the potential victim's device. With a passkey, as long as you have your phone in your possession, you shouldn't have to worry about having a 2FA code stolen.
As usual, the best advice is not to respond to any of these texts or emails even if they claim to be from law enforcement or government agencies. If they continue to send you the same message repeatedly, get a legitimate phone number and place a call to find out if the emails or texts you are receiving are legitimate. Again, do not respond via text or email.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: