A phishing scam so devious that it uses Google’s own infrastructure to rip you off
The first thing to note is that this is a valid, signed email – it really was sent from [email protected]. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com/GxlFR6ccLG
— nick.eth (@nicksdjohnson) April 16, 2025
His tweet included an image of the email he received which states that Google LLC was issued a subpoena by a law enforcement agency seeking information contained in his Google account. We don’t have to tell you what kind of personal information could be discovered if you turn this information over to a scammer. But the major problem here is that as Johnson points out in a follow-up tweet, the email he received is a valid, signed email sent from [email protected].
In a statement, Google said, “We’re aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.
The signature passes signature checks and on Gmail, it is displayed without any warnings. According to Johnson, “It even puts it in the same conversation as other, legitimate security alerts.” There is a discrepancy that you can look for that signals that the email is a scam. The bogus email is hosted on “sites.google.com.” If legit, the email would be hosted on “accounts.google.com.”
Here is one thing you can do to stop texts with your 2FA codes from getting stolen
We don’t recommend clicking on the email. If you do disregard that advice, you will be sent to a bogus support portal that uses perfectly crafted Google login pages. This page is created to trick users to hand over their login credentials and personal information like passwords, social security numbers, bank accounts and other data. This information can be used to wipe out your financial accounts.
You can help yourself from becoming a statistic by not using your password to open your Gmail account even if you use two-factor authentication (2FA). Actually, with text based 2FA, it seems that users are being tricked into turning over their usernames and passwords allowing these thieves to use stolen passwords to steal the 2FA codes as they are sent to the victim. To prevent that from happening, you should use a passkey instead of a password for your email accounts.
A passkey uses a private key stored on the potential victim’s device. With a passkey, as long as you have your phone in your possession, you shouldn’t have to worry about having a 2FA code stolen.
As usual, the best advice is not to respond to any of these texts or emails even if they claim to be from law enforcement or government agencies. If they continue to send you the same message repeatedly, get a legitimate phone number and place a call to find out if the emails or texts you are receiving are legitimate. Again, do not respond via text or email.
