Google has issued a warning to its users about a new wave of sophisticated phishing attacks targeting Gmail accounts through fake security notifications. These attacks represent an escalation in AI-enhanced social engineering tactics and are part of a broader pattern of AI-powered phishing campaigns that have emerged recently. The scammers use various methods, including fraudulent emails and phone calls, posing as Google support representatives to deceive victims. Typically, they warn users of compromised accounts requiring immediate password resets, during which they send separate password reset emails and request verification codes to take control of accounts. This method is similar to the recent surge in voice phishing attacks.
A newly identified vulnerability involves attackers embedding concealed malicious commands within Gmail messages using HTML and CSS, which can be exploited by AI email summarization tools like Google’s Gemini to create seemingly legitimate security alerts. Google has emphasized its commitment to defending against such industry-impacting attacks and has deployed strong defenses to protect users, including enhanced security measures in Google Workspace and AI-powered two-factor authentication.
While no active exploitation of this AI prompt injection technique has been observed, Google has implemented updated safeguards to prevent such threats. Security experts advise users to remain vigilant regarding suspicious communications claiming to be from Google, regularly verify security settings, and avoid sharing verification codes with unsolicited callers. Additionally, they recommend stronger security measures like passkeys, which use biometric verification, to enhance account protection, although users should be aware of potential vulnerabilities in passkey systems that could lead to authentication downgrade attacks.
