New Gmail Scam Uses Google’s Own Tools to Steal Your Information

Summary

• Cybercriminals are impersonating Google using phishing emails that appear to be official security alerts. The emails use a tactic called a “replay attack,” reusing legitimate Google-signed messages to bypass security filters. 
• Victims are directed to fake Google login pages hosted on sites.google.com—pages that closely mimic real Google portals. 
• Scammers are trying to steal Google credentials, which can grant access to Gmail, Drive, YouTube and linked third-party apps. 
• Clues to look for include unusual URLs, mismatched sender information and generic or urgent language. Also, never click on links in unsolicited emails. Always verify by going directly to Google or using official contact methods. 
• For more information on this new Gmail scam, or if you believe you are a victim of an identity crime, contact the ITRC at no cost by phone or text (888.400.5530) or live chat on the company website, www.idtheftcenter.org. 

Cybercriminals are using Google’s own tools – like Gmail and Google Sites – to create emails that appear to be official messages from Google. These Gmail scam emails use a sophisticated tactic called a “replay attack” to trick people into handing over their Google login credentials. If successful, scammers can gain access to your Gmail, Google Drive, YouTube and even third-party apps tied to your Google account.  

Who are the Targets? 

Gmail or Google account users 

What is the Gmail Scam? 

Cybercriminals are sending phishing emails that look like official Google Alerts. In one example posted on X by @nicksdjohnson and shared by Malwarebytes, the scam email warned the recipient about a subpoena involving their Google account. The link in the message led to a fake Google login page hosted on sites.google.com, which mimicked legitimate Google pages. While the email appears to be from [email protected], it was a repurposed legitimate message altered to contain malicious content, making it appear authentic. 

This kind of scam is known as a “replay attack”, where scammers resend a previously legitimate, digitally signed email that now includes harmful content. The email’s security signature remains intact, making it harder for filters or users to detect it as fraudulent. 

Source: @nicksdjohnson and Malwarebytes 

What They Want 

Scammers want you to enter your Google login credentials on a fake website. With your account access, they can: 

• Steal personal information from Gmail, Drive, Photos and more 
• Access your YouTube, Maps and third-party apps linked to Google 
• Commit identity theft or impersonate you online 

How to Avoid Gmail Scams 

• Don’t click links in unsolicited or unexpected emails, even if they look official. Instead, go directly to the source to verify the validity of the message. 
• Inspect the full web address carefully. Official Google pages use accounts.google.com or support.google.com, not sites.google.com. 
• Review email headers for sender inconsistencies (e.g., if it says it’s from Google but the domain doesn’t match). 
• Avoid using your Google account to sign into other services. Create a separate login when possible. 
• Report suspicious Google-related phishing by forwarding the email to [email protected]. 

Contact the ITRC 

If you believe you’ve received a suspicious email like this or entered your information on a bogus page, contact the Identity Theft Resource Center (ITRC). The ITRC is here to help. We offer resources and advice to help you protect yourself and recover from an identity crime. You can speak with an ITRC expert advisor toll-free by phone or text (888.400.5530) or live chat on our website. Just visit www.idtheftcenter.org to get started.