Google phishing scam e-mail deploys diabolical deceptions
Posted on
by
Joshua Long
A series of highly sophisticated Google phishing e-mails has been making the rounds in the past couple weeks. The scam combines a number of clever techniques to appear plausibly legitimate to the average person.
Put another way: Google itself is sending scam e-mails on behalf of fraudsters, and linking to Google-hosted phishing sites.
What are the signs to watch out for? Let’s break down this scam so you can avoid becoming a victim.
A subpoena from law enforcement?
The e-mail subject line is simply, “Security alert” — not very descriptive. The body of the e-mail is quite long, but includes phrasing similar to the following:
A subpoena was served on Google LLC requiring us to produce a copy of your Google Account content
Google Support Ref #: [2 digits, hyphen, 10 digits]
Transferred to Legal Investigations Support
Google Support Case:
https://sites.google.com/u/[scam URL]/edit
Google Account ID: [13-digit number beginning with 17783]
This notice is to alert you that a subpoena was issued to Google LLC by a law enforcement that seeks retrieval of information contained in your Google Account.
To examine the case materials or take measures to submit a protest, please do so in the provided Google Support Case.
The e-mail is then padded with several blank lines, followed by “Google Legal Support was granted access to your Google Account.”
But in reality, no such law enforcement subpoena exists. In fact, it’s all part of a ruse to encourage you to go to the sites.google.com URL, which is actually a phishing page; we’ll explain more about that later.
Scammers exploit Google to send the phishing e-mail
The most concerning part of this scheme is that the phishers actually trick Google’s systems into sending the phishing e-mail on their behalf.
Any would-be phisher can buy any domain name, sign up for Google Workspace, and create an app that uses OAuth to allow users to sign in using their Google account. Then they add victims to a mailing list (ideally beginning with “me@” so Gmail will show the recipient as “me”—mimicking how Gmail would display the e-mail if it were sent to their own individual address).
The name of the scammer’s OAuth app is ridiculously long; it will be the entire body of the scam e-mail, with line breaks and all, including the phishing link. (We’ll get back to the phishing page itself in a moment.)
The first thing to note is that this is a valid, signed email – it really was sent from [email protected]. It passes the DKIM signature check, and GMail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts. pic.twitter.com/GxlFR6ccLG
— nick.eth (@nicksdjohnson) April 16, 2025
This isn’t the first time that we’ve seen mailing lists used in a similar fashion to mass-send phishing scams through a legitimate service. In February, we previously covered a very similar scheme that exploited Microsoft services, rather than Google ones.
A big part of the problem is that, by design, a single address can be used as an e-mail distribution list; this makes it possible to send mail to all members of that list at once. But all the big service providers allow external e-mail addresses—for example, victims’ @gmail.com addresses—to be included amongst the members of these lists. This feature, while designed to be helpful, is increasingly being exploited by scammers.
Google also hosts the phishing scam page
Yet another diabolical part of the scam is that an authentic Google subdomain hosts the phishing page.
Most people are probably unaware that Google operates a service called Google Sites. This service lets anyone host a Web page under the subdomain sites.google.com. These phishing e-mails use this actual Google subdomain to appear, upon casual inspection, to be a site designed by Google itself rather than a scammer.
If a victim were to visit the sites.google.com address in the phishing e-mail and click on “View case,” they would be prompted to sign in to view the supposed support case. But the sign-in form isn’t real—it’s designed to steal the victim’s Google username and password.
6) If I click "View case" then it shows me this fake signup page. Again, hosted on Google Sites.
Given that it's not a popular website, I could absolutely see people falling for this
A bunch of things were off:
– the email wasn't addressed to me, it was some weird email… pic.twitter.com/VCmaJxJ0vX
— andrew chen (@andrewchen) April 14, 2025
If you receive an e-mail like the one described above, you can try reporting it to Google. If you’re reading it in Gmail on the Web, click on the three vertical dots (⋮) and click “🪝 Report phishing.” Or, if you’re reading it in the Gmail app on your phone, tap on the three horizontal dots (…) closest to the top-right corner of the screen, and tap “Report spam.”
It’s unlikely that Google will actually do anything, even if you report it. After all, Google’s systems really did send the message—and, technically, these Google services are operating as intended. Perhaps, given the number of tech news sites that have begun to report on this scam, someone influential at Google will pay attention and demand some internal changes to minimize the risk of similar attacks in the future.
How can I learn more?
We discussed this Google phishing scam in episode 393 of the Intego Mac Podcast:
Additionally, we’ve previously covered tons of e-mail and text message scams; check out these articles for additional details:
- Scammers using new trick in phishing text messages: Google redirects
- “Apple Inc sent you a payment request” Payoneer invoices; other Microsoft-enabled scams
- How to spot fake Apple security alerts via text, phone, email, or web
- Money request and invoice scams via PayPal, Venmo, and Docusign
- Beware of fake package delivery texts and e-mails! Here’s what to look for
- iMessage scams on the rise: Tax refunds and toll payments
- Fake “Geek Squad” invoice scam, now using Housecall Pro servers (Jan 2024)
- Fake invoice scams: Norton, McAfee, PayPal, and more (Jun 2023)
- Top 10 online scams to beware of: from malvertising to deepfake kidnappings
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
