As it issues a warning that a second wave of cyber threats against Gmail users is incoming from very persistent attackers, Google has detailed the specific attack methodologies involved and recommended actions that all 2.5 billion Gmail users employ to stay safe and secure. Here's what you need to know.
Although when compared to last year, the number of phishing attacks are down by 35% during the holiday season so far, Andy Wen, Gmail's senior director of product management, said, the "attackers are very persistent and typically gear up for a second wave of attacks at this point in the season." Indeed, since mid-November, Google has said it has observed a "massive surge in email traffic compared to previous months," which makes protecting your Gmail inboxes a "greater challenge than normal." With in excess of 2.5 billion users, according to Google itself, Gmail is naturally the prime target for attackers and keeping those inboxes secure is something that Google takes seriously. "We invest heavily to meet this responsibility, blocking more than 99.9% of spam, phishing and malware in Gmail," Wen said.
In a newly published blog posting, Wen said that Gmail users have reported a third fewer scams, including both phishing and malware in this definition, during the first month of the holiday season than in 2023. "Millions more unwanted and potentially dangerous messages were blocked before they even reached inboxes," Wen said. Here's how Google protected those Gmail users, along with the threats it has warned you need to be alert to as 2024 draws to a close.
Google is very keen, and quite rightly, to point out how new technology it has put in place continues to protect billions of Gmail users from attack. "This year, we developed several ground-breaking AI models that significantly strengthened Gmail cyber-defenses," Wen said, "including a new large language model that we trained on phishing, malware and spam." This, Google said, enabled 20% more spam to be blocked, by the identification of malicious patterns than previously. An even newer AI model, introduced just before Black Friday, according to Wen, "acts like a supervisor for our existing AI defenses by instantly evaluating hundreds of threat signals when a risky message is flagged and deploying the appropriate protection." And doing so, apparently, in the blink of an eye.
Google has warned that a second wave of cyber attacks targeting Gmail users is incoming and, specifically, alerted them to three that are "in heavy use" currently:
This "vicious and scary" scam involves sending an email that includes details of the victim's home address. The so-called "We know where you live" attack. There are multiple versions doing the rounds, often including photography of your home. "They generally either include threats of physical harm or threats of releasing damaging personal material they say they acquired through a hack," Wen said.
As the name rather gives away, these attacks involving the sending of fake invoices with the intent to trick the recipient into contacting them to dispute the charges, which can be done for a fee. This negotiation is often done over the phone, having provided a number to call in the Gmail message. "These scams aren't new," Wen said. "but are persistent and incredibly prevalent this holiday season."
You can probably file these scams in the brand-impersonation category, but the brand being impersonated is a human being. "Over the past month, many of the most common scams popping up reference famous people," Wen warned, "either pretending to come from the celebrity themself or claiming a given celebrity is endorsing a random product."
Most scams create a sense of urgency to demand a knee-jerk response and do something you might not given more time to think about it. So slow down, count to 10, or 20, ask yourself is this too good to be true, is this a sensible response.
And talking of asking yourself is something is too good to be true, or is sending you to a genuine destination, Google recommended doing your research. "Double-check the details of an email," Wen said, "can you validate the email address of the sender?"
"No reputable person or agency will ever demand payment or your personal information on the spot," Wen said. So, do not send anything. Just stop. Good advice.
Although you may wonder what the point in reporting these phishing attacks is, marking it as spam not only helps clean up your Gmail inbox but, Wen concluded, helps billions of other Gmail users too by adding to the threat intelligence Google's AI defenses collect.