New warning as attacks soar.
Gmail is under attack. Google has confirmed that new AI-fueled campaigns are putting account holders at risk, generating concern and headlines in equal measure. The company has warned its 2 billion emails users to check their security settings, adding passkeys and removing SMS two-factor authentication. But Google has also issued another warning to all its users — if you receive this message, you must not respond.
As Gmail users worldwide pore over the detail behind Google’s “no-reply” email attacks, trying to make sense of the technical vulnerabilities that have been exploited, the good news is you can ignore most of this. There’s only one thing you need to keep in mind to stay safe from almost all these new attacks. And Google wants everyone to know that.
“Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues,” a spokesperson asked me. And that’s the key. It’s the same advice from Microsoft, Meta, Apple and the rest of big tech. And law enforcement. And your bank. And any similar organization that will be mimicked by scammers looking to steal your credentials, your money, even your identity.
The soaring scale of such attacks has just been highlighted by VIPRE’s “Email Threat Trends Report” for the first quarter of 2025. “For the first time,” it warns, “callback scams have made themselves a contender for top phishing vector, battling it out with links, attachments, and QR codes – and taking a surprising amount of the pie.”
Such attacks are pure social engineering. VIPRE says they “represent an ongoing trend of attackers favoring more low-tech, human-centric attacks as a way to get around sophisticated email scan technology. As many organizations are finding, not being able to catch social engineering email scams like these (that don’t rely on malware) is a significant weak spot that needs to be addressed.”
Callback email scam.
And that’s exactly what has driven the raft of Gmail warnings so far this year. Yes, phishing attacks with emails that perfectly replicate the style, imagery and typeface of a major brand or organization are a terrifying new threat to email users, but not calling back the number in one of those emails is the simplest possible mitigation.
“You’ve heard that cybercriminals look for the low-hanging fruit, VIPRE says. “With callback phishing, they take ‘not working harder than you have to’ to a new level by having you initiate the phishing phone call yourself.”
We have seen such warnings from the FBI, with “phantom hacker” attacks defrauding banking customers who are tricked into moving money to fraudulent safe accounts, the impersonation of law enforcement officers to push victims into paying to avoid arrest or worse, and that myriad of tech support scams.
This was behind Kaspersky’s warning last week that “law enforcement agencies are interested in your account,” which made headlines with reports (1,2) of “hackers abusing Google Services to send malicious law enforcement requests.”
Google has also pushed out a technical fix. “We’re aware of this class of targeted attack,” it confirms, “and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse.”
But its advice is more straightforward. If you’re sent an email with a phone number to call back an organization of any kind, do not respond. If you have any doubts as to whether the email is a scam, contact the organization using the usual, publicly available channels or your apps. Do not click, do not call, do not respond.
This post was created with our nice and easy submission form. Create your post!
