The most popular free email platform on the planet is under attack from hackers wielding AI-driven threats. With 2.5 billion users, according to Google's own figures, Gmail isn't the only target of such attacks, but it sure is the biggest. Here's what you need to know and do to protect yourself. Right now.
Gmail is most certainly not immune to advanced attacks from threat actors looking to exploit the treasure trove of sensitive data that is to be found ion the average email inbox. As I recently reported, there's an ongoing Google Calendar notification attack that relies upon Gmail to succeed, and Google itself has warned about a second wave of Gmail attacks that include extortion and invoice-based phishing, for example. With Apple also warning iPhone users about spyware attacks, an infamous ransomware gang rising from the dead and claiming Feb. 3 as the next attack date, now is not the time to be cyber-complacent. Certainly not when a giant of the security vendor world, McAfee, issued a new warning that confirmed what I have been saying about the biggest threat facing Gmail users: AI-powered phishing attacks that are frighteningly convincing.
"Scammers are using artificial intelligence to create highly realistic fake videos or audio recordings that pretend to be authentic content from real people," McAfee warned, "As deepfake technology becomes more accessible and affordable, even people with no prior experience can produce convincing content." So, just imagine what people, threat actors, scammers and hackers with prior experience, can produce by way of an AI-driven attack. Attacks that can get within a cat's whisker of fooling a seasoned cybersecurity professional into handing over credentials that could have seen his Gmail account hacked with all the consequences that could carry.
In October, a Microsoft security solutions consultant called Sam Mitrovic went viral after I reported how he had so nearly fallen victim to an AI-powered attack. So convincing, and typical of the latest wave of cyberattacks targeting Gmail users that it is worth mentioning briefly again. It started a week before it started, let me explain:
Mitrovic got a notification about a Gmail account recovery attempt, apparently from Google. He ignored this, and the phone call also pertaining to come from. Google that followed a week later. Then, it all happened again. This time, Mitrovic picked up: an American voice, claiming to be from Google support, confirmed that there was suspicious activity on the Gmail account. To cut this long story short, please do go read the original, it is very much worth it, the number the call was coming from appeared to check out as being Google from a quick search, and the caller was happy to send a confirmation email. However, being a security consultant, Mitrovic spotted something that a less experienced user may well not have done: the "To" field was a cleverly obfuscated address that wasn't really a genuine Google one. As I wrote at the time, "It's almost a certainty that the attacker would have continued to a point where the so-called recovery process would be initiated," which would have served to capture login credentials and quite possibly a session cookie to enable 2FA bypass as well.
When it comes to mitigation advice, some can be more relevant than others. Take the recent advice from the Federal Bureau of Investigation, of all people, which suggested verifying phishing emails by checking for spelling errors and grammatical inconsistencies. This, as I have pointed out, is very outdated advice and, as such, pretty pointless in the AI-driven threatscape of today.
McAfee's advice is to "protect yourself by double-checking any unexpected requests through a trusted, alternate method and relying on security tools designed to detect deepfake manipulation," and is much better.
Best still, however, is the advice from Google itself when it comes to mitigating attacks against Gmail users and can be broken down into these main points: