Gmail users come under attack from Google hackers.
SOPA Images/LightRocket via Getty Images
Update, August 12, 2025: This story, originally published on August 11, has been updated with additional mitigation advice following the new wave of Gmail security alerts as users warn of a hybrid attack employing email and phone calls in an attempt at account takeover.
Google has already admitted that it is under attack from hackers thought to be part of the ShinyHunters extortion group, confirming a data breach that followed a successful compromise of a Google Salesforce database. Users of Google Cloud do not escape the security warnings either, with an advisory posting providing details of an attack path using what are known as dangling buckets to steal data and distribute malware. Gmail users cannot relax either, as they are also firmly in the hacker crosshairs.
This triad of cybersecurity incidents is completed as Gmail users take to online support forums to report a wave of new attacks. This time, the attackers are adopting a hybrid approach that includes phone calls and email messages, all purporting to be from official Google support staff. As convincing as they are dangerous, here’s what 2.5 billion Gmail users need to know and do about the security scams.
Gmail Security Alert For All 2.5 Billion Users
With an estimated 2.5 billion users, or around 30% of the world’s total population, it’s hardly surprising that cybercriminals are interested in hacking Gmail. After all, your email is a treasure trove of useful data that can be employed in further attacks. All email platforms are vulnerable to hacking, but Gmail, like Microsoft Windows, stands out due to its massive user base.
The latest round of attack warnings comes courtesy of postings to the Gmail subreddit, which describe in detail how scammers are impersonating Google in attempts to initiate an account password reset and take over your email inbox. I have reported on such attacks before, and the recent spike appears to follow the same methodology. The victims first receive a phone call from someone claiming to be from Google support, warning them that an unknown party has attempted to hack their Google account. The caller advises that a password reset is required to stop the so-called attack and protect the user from harm.
This is where the second part of the hybrid scheme comes into play, sending an account reset email to the user. The con itself is a simple one: that password reset email to your Gmail account includes a security verification code to prove it’s you trying to change the password. The attacker encourages the victim to read the code out over the telephone so that “Google support” can reset the victim’s account and protect them from the consequences of the “ongoing attack.” Of course, all they are really doing is hacking your account in real time, while on the phone with you.
Google itself has said that the number of password-stealing threats delivered by email increased by 84% last year, a trend that it confirmed has “only intensified in 2025.”
“We encourage all users to remain vigilant,” a Google spokesperson said, “please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.”
Mitigating The Latest Gmail Account Attacks
Google has published a helpful guide with advice on how to tell if a Google security alert is genuine, but users are also advised to implement the following three account attack mitigation steps as a matter of some urgency.
The Google Security Checkup is, in my never humble opinion, the most efficient and effective way to ensure that the right security protections are in place to defend your account. It does this by checking what you have activated, and advising about issues that could leave you at risk. It is a fully automatic process, at least as far as checking your account is concerned, but you will need to follow the provided links to change settings as recommended.
Google’s Advanced Protection Program ensures that additional checks are made to help prevent even the most determined hackers from gaining access to your Gmail account. Checks such as blocking potential harmful downloads, restricting non-Google apps from accessing data from your Gmail account, and imposing additional steps into the account recovery process to prevent sophisticated attackers to stop hackers taking control.
And finally, using a Google passkey really can stop most account takeover attacks stone dead. “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” a Google spokesperson told me.
Source link
