Spoofing is when scammers disguise themselves by masking their true identity with a genuine email address and phone number. This can make it difficult to spot a scam, unless you know what to look for and how to look for it.
In this particular attack, the scammers also managed to bypass Google’s filters for scam and suspicious emails.
Below, we tell you what to look out for so you can avoid scams like these.
undefinedGmail subpoena scam
The scam email was first highlighted by Nick Johnson, a developer who'd received the message and posted it on X.
The message appears to be sent from a Google email address, no-reply@google.com, with the familiar heading ‘Security alert.’
The email explains that you have been served a 'subpoena', which is a formal court order, to grant Google permission to ‘produce a copy of your Google account content’.
The message includes a link to your ‘Google support case’. You're then encouraged to follow the link as you're informed that you can ‘examine the case materials or submit a protest’.
The website linked to the email convincingly impersonates Google’s support page by beginning with ‘sites.google.com’. It also prompts you to log in to your account if you aren’t already signed in. It then offers you the opportunity to ‘view your case’, which is labelled as urgent.
It’s unclear where the scam goes from here, but it will most likely lead to malware being downloaded to your device or you being pressured to enter your personal and financial data, giving it over to the scammers.
How did the scammers do this?
Anyone can create a Google Sites page. In this case, fraudsters have exploited this to mock up a fake support page, which they control and which could appear to be legitimate with its language and branding.
While the attackers didn't send the email from no-reply@google.com, they made it look like they did by manipulating (spoofing) the 'from' address by creating a malicious code to alter the email.
What's more, because the body of the email was copied by the fraudsters from a legitimate email from Google, it retained its DKIM signature. This isn't visible in the email but it's a security feature that proves the email is from where it says it's from – and so it passed Google's security filters.
Which? contacted Google about this scam email and it told us that it has shut down the mechanism that attackers are using to create the scam email. It also said that Google will not ask for any of your account credentials – including your password and one-time passwords. It also won't ask you to confirm push notifications or call you.
Google also told Which?: 'We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.'
Spotting and reporting scam emails
Sophisticated phishing emails like this one highlight the need to inspect suspicious emails thoroughly.
To protect yourself, you should:
Make sure you never click on links if you’re suspicious about the email. You can report email scams by forwarding the email to report@phishing.gov.uk. You can also report emails to your email provider – select the ‘Report Spam’ on Gmail.
source https://www.which.co.uk/news/article/which-warns-gmail-users-to-watch-out-for-this-convincing-phishing-email-a9POc6M9CBmP