Urgent: Google Presents 3 Gmail Safety Alerts – Prompt Action Suggested
In a recent development, Google's Gmail users have been receiving security warnings about a sophisticated phishing scam targeting approximately 1.8 billion accounts. This scam exploits Google's AI assistant, Gemini, by embedding hidden, invisible prompts within emails that the AI reads when users ask it to "summarize this email."
The scam, which bypasses traditional spam filters, urges users to reveal passwords or contact fraudulent support lines, leading to potential account compromise. The significance of this attack lies in its ability to deceive users, as the AI is unable to distinguish between legitimate user queries and malicious embedded commands.
To respond effectively, Google and security experts recommend several measures:
- Do not trust AI-generated security alerts or prompts inside email summaries. Always verify suspicious warnings through official Google channels. Google has clarified that it does not send security alerts via Gemini summaries.
- Enable two-factor authentication (2FA) or passwordless passkeys on your Google account to add an extra layer of security.
- Be cautious with links and phone calls claiming to be from Google support, especially when they request verification codes or sensitive information.
- Regularly monitor account activity for unusual access and change passwords promptly if you suspect compromise.
- Stay updated on patches and security advisories from Google, as the company has reportedly patched some vulnerabilities but some indirect prompt injection risks remain.
Ruth Kricheli, a vice president of product management at Google, emphasized that abandoned accounts are at least 10 times less likely than active accounts to have two-step verification set up. The first Gmail security warning arrived on July 29, urging immediate action, stating "Your personal info was found on the dark web."
The best mitigation is to run a security checkup, which can provide personalized security recommendations. Users are advised to only stay signed in on devices that are used and trusted. The warning also suggests removing access from devices that are not used anymore.
It's important to note that the second and third Gmail security warnings arrived on July 29 and July 30, respectively. The second warning asks the recipient to "Sign into your Google account," while the third warning arrived on July 30 and suggests reviewing the report provided, which can include emails, passwords, usernames, and other data, with password entries being the most important.
Boris Cipot, senior security engineer at Black Duck, confirmed that in the event of a data breach, attackers can use outdated information to gain access to current accounts or trick users into revealing more. The example given in the warning is a device named Unihertz Jelly 2E.
In summary, these Gmail warnings underscore a new AI-targeted phishing threat exploiting Google’s own AI tools, requiring heightened vigilance, strong authentication methods, and skepticism toward AI-generated prompts within emails.
- With the rise of a sophisticated phishing scam on Google's Gmail, it's crucial for users to be aware that Google does not send security alerts via Gemini email summaries, and they should verify any suspicious warnings through official Google channels.
- To counteract this AI-targeted phishing threat, users are advised to enable two-factor authentication or passwordless passkeys on their Google accounts, thereby adding an extra layer of security and reducing the likelihood of account compromise.
