Most Sophisticated Gmail Attacks Ever—FBI Says: Do Not Click Anything – Forbes
Do not click anything, FBI advises as phishing attacks continue.Update, Feb. 9, 2025: This story, originally published Feb. 8, has been updated with new input from a security expert who describes the threats as easier than assembling flat-pack furniture for the attackers, as well as additional Gmail attack mitigation advice from Google.The danger from attackers looking to compromise your Gmail account has never been greater. Of that there can be no doubt. With AI-powered phishing attacks described as the most sophisticated ever striking again and again, alongside more basic threats to users of the world’s most popular email platform, ignoring this one simple piece of advice from the Federal Bureau of Investigation could be very costly indeed. Here’s what you need to know.Although the most eye-catching headlines are reserved for stunningly inventive AI-powered attacks against Gmail, they only reveal the tip of a dangerous iceberg capable of sinking the most titanic of user defenses in just one moment of weakness. I am talking about phishing if you want to be simplistic about it, but the nature of these social engineering campaigns has evolved so much that hacking attacks would be far more accurate a description these days. The attackers are literally hacking people in order to hack their email accounts, and Gmail is front and center courtesy of the reach it has in this technology sector. The fact that compromising a Gmail account is compromising a Google account, and the treasure trove of data that allows access to is hard for any cybercriminal to resist. This doesn’t, of course, mean that users of other email platforms can relax, far from it, but Gmail is always going to be the primary focus of attention for the human hackers.The Hoxhunt Phishing Trends Report, newly updated Feb. 6, reports a 49% rise in overall phishing attacks capable of evading filters since the start of 2022, and the number of threats being created by AI now accounts for as much as 4.7% of the total. While only 35% of them targeted individuals, there’s little doubt that, as Pyry Åvist, Hoxhunt’s chief technology officer, said, “AI is being weaponized by threat actors to fuel a new era of social engineering tactics.”Attacks that can create critical threat campaigns using AI for just $5 are evidence of just how far social engineering hackers have evolved. Yet, ultimately, as VIPRE recently confirmed, when it comes to preferred tactics, malicious links lead the way in 70% of cases. Even when it comes to those sophisticated Gmail attacks using AI-created and highly convincing threats, and I recommend following the links in the lede to read all the details, these require link-clicking at some point. This is why you simply must not ignore the FBI recommendations when it comes to dealing with such phishing attacks.Adrianus Warmenhoven, a cybersecurity expert at Nord Security, meanwhile, has warned that “phishing is easier than assembling flat-pack furniture,” in a new video demonstrating how such attacks work. “The median time users fall for phishing emails is less than 60 seconds,” Warmenhoven said, “nevertheless, preparing and performing a phishing attack does not take much time.” Warmenhoven also warned about the AI threat that has made phishing even more accessible to cybercriminals, and said that nobody needs to be a coding genius to “build convincing copies of trusted websites where you could lead your victim.” Indeed, with some of these advanced tools capable of cloning a genuine website in just a matter of a few clicks, Warmenhoven said, phishing has become both more frequent and effective.“You might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website,” the FBI warned, adding that, as is often the case with AI-created attacks, “The email may be convincing enough to get you to take the action requested.” The FBI’s advice for all users is simple: Don’t click on anything in an unsolicited email or text message.Warmenhoven recommended that users regularly monitor accounts and services for signs of data exposure, make use of a password manager to autofill passwords as these won’t input your credentials on suspicious websites, and ensure your password manager is “configured to require URL matching before filling in sensitive details.”Google also has plenty of apposite security advice for protecting your Gmail account from such attackers, and I highly recommend you follow it. As well as not clicking on those links, Google said that it “uses advanced security to warn you about dangerous messages, unsafe content or deceptive websites,” and even if you don’t receive a warning, you shouldn’t “download files or enter personal info in emails, messages, web pages or pop-ups from untrustworthy or unknown providers.” Google has also advised that Gmail users should never respond to requests for private information, be that by way of email, text message, or a phone call. If you have any doubts at all about a seemingly genuine communication regarding the security of your Google account, always go and validate what is being said by visiting your account page, using a newly opened web browser, and without clicking any links that the message itself may have given you. Instead, enter the address yourself, or use the normal method of clicking on your Google avatar in Gmail, for example. “On that page,” Google said, “you can check your Google Account’s recent security activity.”One Community. Many Voices. Create a free account to share your thoughts. Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.Your post will be rejected if we notice that it seems to contain:User accounts will be blocked if we notice or believe that users are engaged in:So, how can you be a power user?Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.
