New phishing scam fools even the pros — Google now urges users to ditch passwords and switch to passkeys for better protection.
Credit: JarTee, Shutterstock
Google confirms a serious Gmail phishing threat. Experts urge users to ditch passwords and switch to passkeys for better online security.
Here we go again – another day, another cyber shocker. Google has confirmed a sneaky new phishing attack on Gmail that’s so convincing, it even fooled a top Ethereum developer. The warning? Stop using your password.
In what’s shaping up to be one of the most troubling phishing tactics we’ve seen this year, the tech giant has issued an update after attackers exploited a loophole in its own infrastructure. The result? A wave of alarming headlines, viral warnings on social media, and yet another call to action for users to ditch traditional logins.
The scam that slipped through Google’s net
The story exploded on X (formerly Twitter) and crypto news outlets, after Ethereum developer Nick Johnson revealed he had been duped by an ‘extremely sophisticated phishing attack.’
According to Johnson, the scam began with an official-looking email – sent from a genuine Google address – warning that his account was linked to a subpoena. That’s enough to get anyone’s heart racing.
“This is a valid, signed email,” Johnson explained. “It was sent from no-reply@google.com. It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts.” – Nick Johnson via X
In other words, it looked real because it was real – at least on the surface.
But here’s the clever bit. The attackers had figured out how to send a legitimate Google email to themselves, then forward that message – complete with proper headers and authentication – to their target. The endgame? A convincing phishing page that mirrors the real thing, designed to trick users into handing over their credentials.
Google’s ‘refusal to fix it’ means more attacks likely
Johnson didn’t hold back in his criticism of Google, claiming the company has refused to patch the vulnerability. “Given their refusal to fix it,” he warned, “we’re likely to see it a lot more.”
While Google has since issued an update, security experts say this kind of attack highlights the limits of even the most secure systems when social engineering is involved.
This isn’t some spammy, typo-ridden email from a Nigerian prince stuck in space and offering you 20 squillion euros to help him reclaim his throne. It’s a masterclass in deception, combining real infrastructure with psychological manipulation.
What should you do?
The advice is blunt: stop using passwords.
Google’s own guidance is now focused on passkeys – a more secure login method that doesn’t rely on typing in easily stolen information. If you’re still using a password to log in to your Gmail, it’s time to change that, fast.
- Enable two-factor authentication (2FA)
- Use passkeys or a password manager
- Never click on links in unexpected security emails – go directly to your Google account instead.
- Stay calm: even seasoned tech professionals can get caught out.
The bottom line? If a top Ethereum dev can get duped, the rest of us don’t stand a chance unless we stay one step ahead.
Got Gmail? Time to wise up before your inbox becomes your downfall.
Read more Spanish living news.
Read more news in English from around Spain.
