Republished on April 19 to include new details about the latest attack and two urgent recommendations Google is now urging all users to follow.
Here we go again—Google has confirmed another Gmail-targeted attack, this time blending a flaw in the platform with highly sophisticated social engineering tactics. The outcome? A flood of headlines, viral posts across social media, and a fast-tracked security update from Google. The company’s message is loud and clear: it’s time to stop relying on passwords.
This most recent breach gained traction on X and across crypto news circles after the victim—Ethereum developer Nick Johnson—shared his experience. According to Johnson, he was the target of a “highly sophisticated phishing attack” that exploited a vulnerability within Google’s infrastructure. He also warned that, since Google has yet to patch the issue, similar attacks are likely to become more common.
The attack began with an email that appeared to be entirely legitimate—it was sent from a real Google address and warned Nick Johnson that Google had received a subpoena for his account. “This is a valid, signed email,” Johnson explained, “sent from no-reply@google.com. It passes all DKIM signature checks, and Gmail doesn’t flag it with any warnings—it even appears in the same thread as other genuine Google security alerts.”
It’s a clever tactic. Technically, the attackers found a way to exploit Google’s system to send an official-looking email to themselves, which they then forward to others. Because the forwarded message maintains the original DKIM signature, Gmail still recognizes it as authentic—even though it’s essentially a repurposed copy. The end goal, however, is straightforward: direct the victim to a phishing page designed to look exactly like a legitimate Google sign-in, in an attempt to steal their credentials.
Google has since acknowledged the issue, stating, “We’re aware of this class of targeted attack and have been rolling out protections over the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
And that’s the key takeaway: stop relying on passwords to secure your account—even if you’re using two-factor authentication (2FA). Especially if that second factor is SMS-based. The reality is, it’s become far too easy for attackers to trick users into handing over both their login credentials and the temporary codes sent via SMS. Once they have both, there’s little stopping them from logging into your account from their own device.
What truly stops these kinds of attacks is the use of passkeys. Unlike passwords, a passkey is tied to your physical device and requires your device’s built-in security—like biometrics or a PIN—to unlock your Google account. This means that unless an attacker physically has your phone or laptop, they can’t access your account. While Google hasn’t completely removed passwords yet (as Microsoft intends to), using a passkey instead makes it impossible for a phishing page to steal your credentials.
What makes this latest attack particularly dangerous—alongside others we’ve seen recently—is how sophisticated and convincing it is. But the solution remains relatively simple: update your account security. These kinds of attacks are only going to become more advanced and more frequent, especially as AI lowers the barrier for cybercriminals. As Microsoft recently warned, “AI has started to lower the technical bar for fraud and cybercrime actors… making it easier and cheaper to generate believable content for cyberattacks at an increasingly rapid rate.”
If you haven’t already, you can learn how to add a passkey to your Google account here.
This latest scam, which cleverly exploited weaknesses in Google’s infrastructure to disguise a phishing attempt, is now gaining broader media attention. Unfortunately, much of the coverage misses the bigger picture. Google has consistently emphasized two crucial points in response to incidents like these:
- Google will never proactively contact you about security issues or ask you to take specific actions to secure your account.
- Following Google’s security recommendations—like enabling passkeys and 2FA—offers strong protection against phishing and account takeover attempts.
Don’t get lost in the technical weeds. Yes, Google needs to address the way its email system can be manipulated, but email as a communication medium has always had inherent vulnerabilities. The real threat now is the wave of AI-driven attacks just beginning to surface. This one may be detectable now that it’s made the rounds, but the next one might not be. And when that comes, a strong, password-free security setup could be the only thing standing in its way.
If you haven’t already, set up passkeys—now. It’s one of the most effective ways to protect your Google account from modern threats. And remember, just like with banking and law enforcement scams, any unexpected outreach claiming to be from Google or other tech companies is almost certainly a scam. Legitimate institutions—whether it’s your bank, Google, or law enforcement—don’t initiate contact to warn you or request sensitive information.
This advice has never been more urgent. As Microsoft recently cautioned, “AI tools can scan and scrape the web for company information, helping cyber attackers build detailed profiles [and] highly convincing social engineering lures. In some cases, bad actors are luring victims into increasingly complex fraud schemes.”
The warning is clear: the threat landscape is evolving fast. Don’t wait for the next wave to hit—take action now.