Google’s Gmail Upgrade—Do Not Lose Your Account – Forbes
All change for GmailRepublished on January 10 following new headlines into a Google setting that must be changed to keep Gmail inboxes secure.You are not ready for the threat landscape in 2025. None of us are. This new world is one in which attackers can scrape social media and target us with the familiar tone and content from those we know in ways we can’t detect. And it can do so on an industrial scale, automatically and instantly, all through AI. There is one thing you can do to secure your account before it’s too late.Google is advancing its own AI defenses to combat these threats — but it can’t succeed, not entirely. And while the company says it now detects “more than 99.9% of spam, phishing and malware in Gmail… blocking unwanted and potentially dangerous messages before they even reached inboxes,” much of this relies on what we have seen before—patterns and trends. This new world changes everything, AI can tweak every email, polish copy, clinically match imagery, and even adapt on the fly.Gmail is the world’s largest email platform, with some 2.5 billion users it says. As such it’s the world’s biggest email threat. Successfully attack Gmail and you open a world of opportunity. As McAfee warns for 2025, “the risks to trust and safety online have never been greater… That’s why it’s more important than ever for consumers to stay informed about these emerging threats.”But as sophisticated as these advances might be, to succeed they rely on each of us making a mistake within our own ecosystems. Downloading and opening an attachment, clicking a link, entering information into a malicious website — not checking carefully and letting our guards down. And the one mistake we have all already made is being much too casual in providing our personal contact details.SlashNext’s 2024 State of Phishing report painted exactly this picture, with “an unprecedented surge in attack volume,” the research team detected a “202% increase in phishing messages in the second half of 2024, and credential phishing attacks rising 703% in the same period.”In practical terms this means every inbox attacked every week, with novel threats coming constantly. “Our analysis shows that 80% of malicious links in attacks are previously unknown zero-day threats, demonstrating that traditional threat intelligence and signature-based detection methods are increasingly ineffective against modern, AI-powered attack campaigns.”And just as McAfee, Check Point and others now warn, the prospects for 2025 are much worse. “We expect this rapid evolution to accelerate, with AI-generated attacks becoming more sophisticated and harder to detect,” SlashNext says.The state of the problem has been perfectly illustrated this week in Netskope’s latest report, which warns that “over the past year, the number of users clicking on phishing links has increased by nearly triple, from 2.9 in 2023 to 8.4 out of every 1,000 users in the average organization clicking on a phishing link each month. This increase comes despite most organizations requiring users to undergo security awareness training to avoid phishing attacks.”There are two types of attacks you need to worry about. The first is highly targeted, and will usually hit you at work. This is where the really powerful AI is being deployed, with attackers mapping organizations and conducting sophisticated operations to steal money or data or both. Successful detection requires user training, strict adherence to rules and IT security. But as The Financial Times warned last week, “phishing scams generated using AI may also be more likely to bypass companies’ email filters and cyber security training.”Netskope also flags “cognitive fatigue” as a major factor driving the worsening threat landscape, with “users constantly being bombarded with phishing attempts)” as well as the “the creativity and adaptability of the attackers in delivering harder-to-detect baits.” And while Google account credentials are prized, the consistently top target for credential theft is Microsoft. This is understandable given the enterprise honeypots its credentials open and the drag we have seen in MFA compliance cross the ecosystem. Netskope warns that attackers are “targeting [both] Microsoft Live and 365 credentials… As a result, the percentage of users clicking on links targeting Microsoft credentials is closer to 75%. Microsoft’s popularity as a phishing target is unsurprising because Microsoft 365 is the most popular productivity suite by a large margin.”It’s little surprise, then, that Microsoft is on a mission to to fully eradicate passwords as an entry mechanism into its ecosystem. It has now stated publicly that its intent is not only to push its entire user base (if it can) to passkeys or other hardware-linked login systems, but also to delete the passwords even as a secondary means of account access.The good news for Gmail users — if one can put it that way — is that attackers are now finding that other means of pushing phishing links have become more effective than email. We have seen this trend coming for some time, not only is it easier to trick a user into clicking a link in a social media message or post, but it’s also easier to make it seem that the message or post has come from a trusted source is also more likely to be opened on a mobile device, where the small screen makes it much easier to hide the usual telltale signs of a fake message that are more apparent in email.Beyond messaging, the other new trend is compromised search results, either directly targeting search engine optiimization or by pushing out targeted attacks through specialist sites and forums. “The top referrer was search engines,” Netskope says, “where attackers run malicious ads or use SEO poisoning techniques to get the phishing pages listed at the top of the search engine results for specific terms. Other top referrers included shopping, technology, business, and entertainment sites, where the referrals come from comments, malicious ads, and infected sites. The variety of phishing sources illustrates some creative social engineering by attackers. They know their victims may be wary of inbound emails (where they are repeatedly taught not to click on links) but will much more freely click on links in search engine results.”I have reported on this SEO poisoning before, and it was a major theme as attacks surged during the holidays season from Black Friday through Cyber Monday and into the end-of-year holiday break.The second type of attack is more hit and hope, but it’s where AI will have a wider impact. Mass attacks targeting thousands of even hundreds of thousands of addresses at a time will change. Most of the fraudulent or malicious emails hooked by Google or hitting your Gmail inbox still remain detectable. Enhancing the quality and the look and feel of such phishing lures, and even combining them with calls or other messages from seemingly trusted sources will trick millions of users.But outside of work, those attackers need an address to target. Your Gmail addresses will be found on countless lists and in multiple leaks. You can be certain of that. This is why Google’s new shielded email addresses are so critical. Expected to come in a 2025 upgrade, these will enable you to stop giving out your real Gmail address to people or companies that ask for them. You can use aliases linking back to your real address, and then switch those off if you find they’re being targeted. Apple’s similar system is a sure fire way of drastically reducing phishing mails.Gmail didn’t get off to a good start on the security and privacy front, but it’s much better now and its new upgrades make it an account worth keeping. But only if you use the new security upgrades and common sense to ensure you don’t lose your Gmail account (and those it leads to) to hackers or simply through lack of use.Last month, I advised Apple users to run a Safety Check on their accounts, available through iPhone’s Security & Privacy settings. Google users should do the same. “This will show you who you’re sharing data with, the apps accessing your information, devices linked to your account and which can access your phone.”Google says that “to protect your Google Account,” it “strongly recommends” using its account security checkup “regularly.” It’s very easy to do so. Just sign into your Google Account, tap or click on your profile picture, and then select “recommended actions.” The results are even color-coded. “Blue for security tips, yellow for important steps and red for urgent ones. A green shield with a check mark means your account is healthy and no immediate action is needed.”All that said, it’s still much easier for an attacker to get hold of your email address than your cell number, and the simplicity of email phishing outplays all other options. The question for 2025 is whether the new optionality provided by AI enhancement changes any of these trends, as attacks land on target more often.And just to keep minds fully focused, the stats are already alarming — per StationX’s most recent data:Google does offer a big red button to better secure your account—its Advanced Protection Program. But just as I advised Apple users, this is not for you unless “you’re a journalist, activist, or someone else at risk of targeted online attacks.” Don’t be lulled into opting in, thinking you need the ultimate level of protection if you don’t. It will stop many of your devices and services working as you’d expect them to.Adhering to Google’s critical recommendations around passwords and MFA, the use of passkeys, and safe browsing will go a long way to keeping you safe. But none of that replaces the need to adhere to basic rules. No apps from outside official stores, no links, no attachments, and no sharing your primary email address when shielded email becomes available. You might also consider a new account and address if yours has been around a while and is already a honeypot for spam and phishing.The other thing you must do to ensure you don’t lose your account is to keep using it of course. It’s a bit obvious, but if you allow accounts to run stale through lack of use, then Google will delete them. If you do have accounts you don’t use but want to keep, just make sure you log into them once in a while. Details here — but currently the timeline is set at two-years, so little chance of a surprise.Gmail users have been inundated with security headlines through 2024, which while unsurprising given the size of the platform’s user base will be a concern nonetheless. And 2025 shows no signs of being a different, even though it’s barely a week old.The latest security issue to make headlines relates to Check Point’s recent warning that Google Calendar invites have been maliciously doctored to trick users into clicking where they shouldn’t, introducing malware onto their devices.Headlines over the last 24-hours include “millions of Gmail users placed on red alert and told to switch on Google setting now” and “use Gmail — you must adjust one setting NOW to avoid scam targeting thousands of Google users.”So, what’s behind these headlines? Ahead of issuing its report last month, Check Point explained to me that “Google Calendar has been exploited in a new phishing campaign targeting 300 brands. Cyber criminals are manipulating Google Calendar to bypass email security and deliver phishing emails that appear legitimate.”This is just another example of a devious phishing lure to trick users into clicking, abusing the casual user instinct to click a calendar invite by dressing it up with the familiar look and feel of a known brand. Ultimately, the goal is to plant a threat in your Gmail inbox and have you click it without thinking. While this wasn’t specifically an attack on Gmail, the tight Workspace linkage between Google Calendar and Gmail makes this first and foremost a Gmail threat. On that note, the headlines are right.“Attackers have modified email sender headers to impersonate legitimate users and employ deceptive links,” Check Point told me, “tricking victims into disclosing sensitive information [including] Stolen personal and corporate data used for financial scams, such as unauthorized transactions or credit card fraud, leaving victims vulnerable to long-term consequences.”Google’s advice — per Check Point — is to “enable the ‘known senders’ setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.” And it’s that advice that has prompted the headlines we’re still seeing now.Check Point’s other recommended actions in its report are similar to those you should be doing anyway to stay safe from the wider phishing threat:Check Point warned in its report that “due to Google Calendar’s popularity and efficiency in everyday tasks, it is no wonder it has become a target for cyber criminals. Cyber security researchers at Check Point, have observed cyber criminal manipulation of dedicated Google tools – namely Google Calendar and Google Drawings. Many of the emails appear legitimate because they appear to directly originate from Google Calendar.”Last month, I reported on new warnings from the FBI as the email threat landscape worsens. Their advice distills drills down to three key checks for every unsolicited email that hits your inbox before you click or open anything: “Check the sender’s email address; check any URL before you click or certainly before you engage; and check the spelling and grammar of the email itself, as well as the URL.”And notwithstanding that the emerging AI threat makes detection of malicious emails through poor spelling and grammar and low quality imagery more difficult, the FBI’s advice on keeping your inbox safe hasn’t changed:Google’s Gmail team provided its own updated advice just ahead of the holidays which is broadly the same, warning that “since mid-November, we’ve seen a massive surge in email traffic compared to previous months, making protecting inboxes an even greater challenge than normal:Gmail is becoming safer and is deploying all the wiles Google can muster to take the fight to the scammers and cybercriminals, “blocking more than 99.9% of spam, phishing and malware” targeting it platform. But ultimately, too many threats still get through. That 1% — if that’s the right number — is an unimaginable volume of threats making their way onto users’ phones, tablets, laptops and desktops.All too often, we’re still seeing blatantly fraudulent emails getting through all those defenses that the platforms have put in place. But a quick check should have been enough to stop them. My personal bugbear is an email pretending to be from a brand, but with an obviously mismatched sender address that should have been stopped.The best way to combat the new threat coming from AI is to deploy AI, and the emerging technology trend to deploy on-device defenses should be the future. This can leverage the new AI processing in the latest upgrades, and while it will take time to be available for all, it should be hinted now.I would like to see the same kind of advances that are coming to malware protection on Android coming to Gmail and other messaging protection as well — not relying on central filters or user flags. The behavioral patterns being these attacks will be harder to hide than the form of the threats themselves.Meanwhile, your credentials still remain a firm target for criminals and scammers. And your Gmail address is almost certainly in their possession. Just make sure you don’t give anything away and come to regret it later.
