Update, April 26, 2025: This story, originally published April 25, has been updated with information concerning Google alert impersonation attacks that target Gmail users and further advice to mitigate the Gmail encryption message threat to users of other email platforms.
Love it or loathe it, with nearly 2 billion users, Google’s Gmail platform cannot be ignored. That’s certainly the case when it comes to hackers, scammers and cybercriminals of all types. They are drawn to the web-based email service like no other. All email platforms are targeted by criminals, that’s for sure, but Gmail has the biggest bullseye on its back courtesy of that user base. Sophisticated new Gmail threats are constantly being reported, while Google responds with security updates to counter them. Some updates that have long been anticipated by eager users could, however, spread the risk of attack beyond just those folks using Gmail. That’s the warning from one leading cybersecurity expert as Google introduces end-to-end encryption for Gmail. Here’s what you need to know.
The Gmail Encryption Attack Threat Explained
Generally speaking, you would not talk about the addition of encryption to a platform as anything other than a blessing for those who value security and privacy. When Google announced that it was bringing end-to-end encryption to all businesses, I was certainly excited, not least because it has been a long time coming. To coincide with the 21st birthday of Gmail, Google said it would be rolling out the ability for enterprise users “to send E2EE messages to any user on any email inbox with just a few clicks.” The process by which this encryption service works involves a kind of protective bubble that surrounds the email in question. So, what’s the issue? Well, if you send such an encrypted email bubble to a Gmail user, then it gets automatically decrypted in their inbox, no problem there. If the recipient isn’t a Gmail user, however, they are presented with an invite to view the email within a restricted version of Gmail, using a Google Workspace guest account.
As Jérôme Segura, the senior director of threat intelligence at Malwarebytes, told Wired, “users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”
We already know how AI-powered phishing attacks are blurring the lines between reality and risk, and you can be sure that scammers will be looking for the best way to create fake invitations within a convincing threat campaign to gain access to the potential victim’s email account credentials.
Google Impersonation Attacks Haunt Gmail Users
It’s not just the addition of the end-to-end encryption feature that could enable malicious actors to attack email users while disguised as genuine Gmail communications. As I recently reported, Google impersonation is rife among those who would use trickery and guile to relieve you of your Gmail account credentials. What has become known as the Gmail Subpoena attack employed trust in Google’s own protections and platforms, sending a fake security alert from a genuine Google domain to bypass the strict DomainKeys Identified Mail authentication checks employed by Gmail. The email alert was sent from an absolutely legitimate “[email protected]” address. What’s more, Gmail even “helpfully” sorted it into the same conversation that contained other Google security alerts. The scam relied upon the apparent legitimacy of the email along with the sense of urgency and fear created by receiving notification that a supposed subpoena requiring Google to produce a copy of the Gmail account content had been served. The victim was advised that they could examine the subpoena itself or lodge a formal protest. The stinger being, of course, that doing either required them to follow the instructions given and that would lead them to fake Google support pages that, inevitably, would require an account security confirmation and ultimately, dear reader, account compromise.
Gmail spokesperson Ross Richendrfer told me that Google has now rolled out updated security measures to counter the techniques used by the Gmail Subpoena threat actor in these highly targeted attacks.
Google Responds To Gmail Encryption Update Attack Risk Warning
Such phishing attack risks are not, by any means, restricted to Gmail alone. Any email platform is exposed to this kind of attack, with scammers using fraudulent alerts and malicious links to entrap victims. As part of the process to alert users to the potential risk of such threats, Google has even added this warning to the encrypted email invitations that will be sent to non-Gmail users: “Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”
Richendrfer said that the new Gmail end-to-end encryption update has been built from the ground up with this kind of risk firmly in mind. “The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file,” Richendrfer confirmed. “All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well,” Richendrfer advised.
Google will never ask for any of your account credentials, Richendrfer concluded, including Gmail account passwords, one-time 2FA passwords or to confirm push notifications.
