.svg)
Google has issued a critical warning to its 1.8 billion Gmail users following the discovery of a highly advanced phishing scam. The alert comes after Nick Johnson, a developer with Ethereum, reported being targeted by the attack, which he described as one of the most sophisticated he’s ever encountered.
Johnson shared on X that the scam exploited a vulnerability within Google’s systems. He revealed that the phishing email he received appeared to come from a genuine Google address and claimed he had received a legal subpoena requiring access to his Gmail account. The only visible red flag? The email was hosted on sites.google.com instead of the more familiar accounts.google.com.
When Johnson clicked the link, he was redirected to a fake “support portal” that convincingly mimicked official Google pages. The portal prompted him to “upload additional documents” and “view case” — both actions leading to realistic duplicates of Google’s login pages, where users would unknowingly enter their credentials. Johnson warned that this scam passed all standard email security checks, including Gmail’s DKIM signature verification, and even appeared in the same email thread as legitimate Google security alerts.
In a statement to the media, Google acknowledged the targeted attack and confirmed it had taken steps to block the method used. The company emphasized the importance of enabling two-factor authentication (2FA) and using passkeys — secure login tools that significantly reduce the risk of being hacked.
Google reminded users that it will never ask for passwords, one-time passcodes, or personal login information via email, and that they will never call to request such details. Phishing scams like this are designed to make fraudulent messages appear trustworthy, tricking people into handing over sensitive information such as login credentials or financial data.
One reason this attack was so effective is that it relied on a trusted domain — Google Sites — to make the email seem legitimate. Johnson explained that many people see “google.com” in a URL and assume it’s safe, which makes it easier for scammers to deceive even cautious users.
Those who only rely on passwords for Gmail access are especially vulnerable, as attackers can simply use the stolen credentials along with a 2FA code to log in. However, passkeys offer a much stronger defense. Unlike passwords, passkeys are tied to a specific device and can’t be used elsewhere, making them nearly impossible to steal or duplicate.
Google encourages users to not only use secure login methods but also to learn how to identify phishing scams. Though these scams are becoming more convincing, they often include warning signs: vague greetings, a sense of urgency, and suspicious links asking users to fix an issue immediately. While Google does send important notifications by email, it won’t ask users to click suspicious links or update sensitive account information through email.
In cases where legal agencies legitimately request user information, Google sends advance notice to affected users — unless legally prohibited from doing so. According to their official privacy policies, users are typically informed before any data is shared, except in cases where court orders or legal restrictions apply.
Ultimately, Google stresses the importance of caution. If you receive a message requesting personal information, always verify the legitimacy of the website — ideally by opening the site manually in a new browser window rather than clicking the link in the email.
