New Delhi, July 22, 2025 – Google is alerting its Gmail users to watch out for a smart phishing scam that’s been hitting inboxes. This campaign started back in mid-April and uses emails that look just like real ones from Google. They trick people into giving away their login details. The emails seem to come from official addresses like no-reply@google.com and even pass security checks that Gmail usually relies on. It’s tough to spot because everything appears legit at first glance.
The scam works by sending messages that mimic Google’s own security alerts. For example, they might say there’s a legal subpoena for your account data or an urgent issue that needs fixing right away. If you click the link inside, it takes you to a fake page hosted on sites.google.com, which is a real Google domain anyone can use. There, it asks for your username and password, pretending it’s to view case details or upload documents. Once you enter them, the bad guys grab your credentials and can take over your account.
Google has confirmed this is a targeted attack from a group called Rockfoils. They use a method called DKIM replay, where they take a real signed email from Google and send it again to new victims. This way, it bypasses filters because the signature checks out. The emails often end up in the same thread as actual Google messages, making them blend in even more.
How the Attack Tricks People
Attackers start by creating a fake Google app with a long name that includes phishing text. When Google sends a security alert about it, they forward that alert without changing it. Tools like Jellyfish SMTP help them do this while keeping the original signature intact. The result? Your inbox shows what looks like a trusted email from Google, complete with passing SPF, DKIM, and DMARC checks.
From what experts say, this isn’t your basic scam. It exploits Google’s own setup, like OAuth and Sites, to seem real. One developer even shared on X how he almost fell for it, thinking it was a subpoena notice. The fake pages copy Google’s login screens closely, so even careful users might slip up.
Google’s Fix and What You Can Do
Google says they’ve been rolling out protections since mid-April. They’re shutting down the ways attackers insert fake text and abuse their platforms. A full fix should be in place soon to block this kind of abuse. But they warn that no system catches everything, so users need to stay sharp.
To protect yourself, don’t click links in emails that push for quick action, even if they look official. Go straight to your Google account settings instead. Turn on two-factor authentication – that adds an extra step like a phone code. If you get a weird email, report it through Gmail’s tools. Experts also suggest using secure email add-ons or switching providers if you’re handling sensitive stuff.
This scam shows how scammers are getting clever with big tech’s tools. Gmail blocks most junk, but this one slipped through cracks. More than a billion people use Gmail, so staying alert is key. Google keeps updating, but your habits make the difference. Keep an eye on official updates from them for the latest.
