All Gmail users have been warned to take steps to secure their accounts after widespread hacking attempts.
Cyber criminals are targeting Gmail users with phishing emails.
The scam emails appear to come from a legitimate Google account service, asking users to follow a link to take action.
However, clicking on the link could lock you out of your account.
Gmail users should ensure they have set up a recovery phone number or alternative email address to answer security questions and verify their identity, Google said.
The warning comes after a ‘sophisticated’ attack was spotted by developer Nick Johnson, who raised the alarm by posting what the phishing email sent to him looked like.
It appeared to come from accounts.google.com email, saying Google has been legally asked to ‘produce a copy of your Google Account content’ and asking him to follow a link posing as a Google support site.
When the expert followed links taking him to websites that were ‘exact duplicates’ of legitimate Google pages, he was asked to sign in to his Google account.
He explained: ‘From there, presumably, they harvest your login credentials and use them to compromise your account; I haven’t gone further to check.’
Worryingly, Gmail’s security system didn’t spot the phishing email, meaning users will have to be even more vigilant.
Setting up Google Password Alerts and two factor authentication
Two-factor authentication (2FA) can make it harder for cyber criminals to access your account in case the password is stolen.
When the 2FA is switched on, it will ask for a passkey to your device like a phone.
You can set it up in your Google Account settings under Security.
Google advises all users to set up the Password Alert which can prevent Gmail and YouTube user information from getting into the wrong hands.
When the Password Alert is switched on on the Chrome web browser, users will get automatic alerts when the Google password is used to sign in to other sites.
Google reminded that it will not ask users for account credentials used to sign in, and it will not call you.
A spokesperson for Google said: ‘We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse.
‘In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.
In the worst case, providing any sensitive log-in details could end up with scammers using them to steal money or identity theft.
What is phishing?
Phishing, which comes from the word fishing, is an online scam where criminals use fake emails, text messages, or phone calls to trick people into revealing personal information or visiting malicious websites, often to steal sensitive data or bank details.
In March, millions of Chrome users were told to delete 16 browser extensions after experts spotted that they had been weaponised by a ‘threat actor.’
Hackers are also taking advantage of AI by creating realistic-sounding phone calls claiming user’s Gmail account has been compromised.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: We could soon talk to dolphins, but will we like what they tell us?
