PayPal Users Face the Same Problem
This scam isn’t inherent to Google: PayPal dealt with a similar one last month. In both cases, the scam hinges on getting the company itself to originate the message from its mail servers, letting it pass DKIM security checks, before forwarding it to a mailing list that passes it on to the victim.
With Paypal, the way to get the company to create the fraudulent email is to register a new email address under an existing account, since this triggers Paypal to send a confirmation email to that address.
Google has issued a statement about the scam, The Verge reports: According to Gmail Security Communications spokesperson Ross Richendrfer, “We’re aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse. In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.”
While we’re sorry to see that our common phishing protection advice to check the domain of the email sender is no longer reliable, it’s nice to see that two-factor authentication can still help in situations like this. After all, Tech.co’s latest annual study found that a full 98% of senior business leaders in the US can’t correctly identify all the indicators of a phishing email.
