Phishing for passwords of unwary Google users

Filed Under: Data loss, Featured, Google, Phishing, Privacy, Spam

GMailHow much damage could be done if your Gmail password fell into the wrong hands?

Quite a lot I would wager.

Because not only would an identity thief be able to send emails pretending to be you, and trawl through your old messages for passwords and financial information, but also your Gmail password will also unlock your other Google accounts - including Google+, Adwords, Google Checkout, Google Docs, YouTube and so forth..

So, you should work hard to protect your username and password credentials for Google login details.

Here's an email that SophosLabs has seen spammed out, pretending to come from Google's team:

Gmail phishing email

The email claims that the recovery email address associated with your Google account has changed, and if you do not verify it then you might lose your account in its entirety.

Dear Account User,

Thanks for updating your e-mail address with us.We changed your recovery e-mail address in our files to [redacted] this is correct, you can disregard this e-mail. If the new e-mail address is not correct or you did not request this change. Follow the instruction in updating your account

However, Failure to do so may result in account suspension permanently.

Thanks for using Gmail!.



Clicking on the link in the spammed-out email does not take you to your Google accounts settings, however. Instead, you are taken to a compromised website which is hosting a phishing page - designed to steal your password.

Gmail phishing website

Always take care about what links you click on, and don't enter your personal information until you are confident you have reached a legitimate site,

And if you need further advice, why not read my point-by-point advice about how to stop your Gmail account being hacked.

, , ,

You might like

8 Responses to Phishing for passwords of unwary Google users

  1. MZAZ · 1275 days ago

    Good thing I don't use GOOGLE. Besides, if any free email service wants any updating they do it when signing in not sent in an email. All one has to do is go to their tools and update.

  2. Mika · 1275 days ago

    You should mention Google's two-step verification. If I give my Gmail password to strangers they would still have to enter the security code that is sent to my cell phone. It's a free service but it works! Well, almost free, since Google got my mobile number in return. I believe they offer smartphone app to generate the security code, which is good if one has to pay for incoming text messages.

    And if entering a second code every login seems too much, there is the "remember verification on this computer for 30 days" option.

  3. Lardinho · 1275 days ago

    Well, that approach simply wouldn't work on me. First I don't have a Hotmail account. Second, Gmail uses SSL which they forgot to include in their link details. I'll give them 2/10. That's for just bothering to try.

    • PaulB · 1275 days ago

      "Well, that approach simply wouldn't work on me. First I don't have a Hotmail account"__What does that have to do with anything?__The Hotmail account named in the message is NOT meant to be YOURS.__The idea is you think someone has changed your GMail Recovery email address to an account that is NOT yours (in this example [redacted] - ) and then you think "Oh ****, someone else has got access to my GMail account" and then click the link in the email to restore the Recovery Email back to YOUR email address. But as per usual with these attacks the link doesn't goto a real GMail website but a spoof one where you then enter your username and password thereby handing it straight to the bad guys.__YOU don't NEED a Hotmail account for this to work.

  4. Bob Bentbike · 1275 days ago

    The subject line for that message would allow me to check my email logs for any delivered at my site.

  5. Sandy · 1230 days ago

    I recently received the following email from a family member who doesn't even have Gmail:

    Dear Account User,

    You are advise to verify your account details below to enable us upgrade your account. E.G Your GMail ID, Password, Date Of Birth etc.

    Click here to verify -->

    In failure of doing this, you will Automatically lose your GMail Account.

    Thanks for using GMail

    Account Alert


    I've seen some phishing scam emails, mostly thanks to you people, but this one is so obviously fake. Anyone else seen this yet?

  6. tony the dog · 1199 days ago

    facebook security sucks i still get hacked with text verification and email alerts on stupid chip thieves stop play poker now hope thats the end of it glad i dont bank with then pathetic and nobody to complain to unless u wanna call the usa i dont think so

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley