All change for Gmail
Republished on January 9 with a new report into the rapidly expanding threat landscape for email users.
You are not ready for the threat landscape in 2025. None of us are. This new world is one in which attackers can scrape social media and target us with the familiar tone and content from those we know in ways we can’t detect. And it can do so on an industrial scale, automatically and instantly, all through AI. There is one thing you can do to secure your account before it’s too late.
Google is advancing its own AI defenses to combat these threats — but it can’t succeed, not entirely. And while the company says it now detects “more than 99.9% of spam, phishing and malware in Gmail… blocking unwanted and potentially dangerous messages before they even reached inboxes,” much of this relies on what we have seen before—patterns and trends. This new world changes everything, AI can tweak every email, polish copy, clinically match imagery, and even adapt on the fly.
Gmail is the world’s largest email platform, with some 2.5 billion users it says. As such it’s the world’s biggest email threat. Successfully attack Gmail and you open a world of opportunity. As McAfee warns for 2025, “the risks to trust and safety online have never been greater… That’s why it’s more important than ever for consumers to stay informed about these emerging threats.”
But as sophisticated as these advances might be, to succeed they rely on each of us making a mistake within our own ecosystems. Downloading and opening an attachment, clicking a link, entering information into a malicious website — not checking carefully and letting our guards down. And the one mistake we have all already made is being much too casual in providing our personal contact details.
SlashNext’s 2024 State of Phishing report painted exactly this picture, with “an unprecedented surge in attack volume,” the research team detected a “202% increase in phishing messages in the second half of 2024, and credential phishing attacks rising 703% in the same period.”
In practical terms this means every inbox attacked every week, with novel threats coming constantly. “Our analysis shows that 80% of malicious links in attacks are previously unknown zero-day threats, demonstrating that traditional threat intelligence and signature-based detection methods are increasingly ineffective against modern, AI-powered attack campaigns.”
And just as McAfee, Check Point and others now warn, the prospects for 2025 are much worse. “We expect this rapid evolution to accelerate, with AI-generated attacks becoming more sophisticated and harder to detect,” SlashNext says.
The state of the problem has been perfectly illustrated this week in Netskope’s latest report, which warns that “over the past year, the number of users clicking on phishing links has increased by nearly triple, from 2.9 in 2023 to 8.4 out of every 1,000 users in the average organization clicking on a phishing link each month. This increase comes despite most organizations requiring users to undergo security awareness training to avoid phishing attacks.”
There are two types of attacks you need to worry about. The first is highly targeted, and will usually hit you at work. This is where the really powerful AI is being deployed, with attackers mapping organizations and conducting sophisticated operations to steal money or data or both. Successful detection requires user training, strict adherence to rules and IT security. But as The Financial Times warned last week, “phishing scams generated using AI may also be more likely to bypass companies’ email filters and cyber security training.”
Netskope also flags “cognitive fatigue” as a major factor driving the worsening threat landscape, with “users constantly being bombarded with phishing attempts)” as well as the “the creativity and adaptability of the attackers in delivering harder-to-detect baits.” And while Google account credentials are prized, the consistently top target for credential theft is Microsoft. This is understandable given the enterprise honeypots its credentials open and the drag we have seen in MFA compliance cross the ecosystem. Netskope warns that attackers are “targeting [both] Microsoft Live and 365 credentials… As a result, the percentage of users clicking on links targeting Microsoft credentials is closer to 75%. Microsoft’s popularity as a phishing target is unsurprising because Microsoft 365 is the most popular productivity suite by a large margin.”
It’s little surprise, then, that Microsoft is on a mission to to fully eradicate passwords as an entry mechanism into its ecosystem. It has now stated publicly that its intent is not only to push its entire user base (if it can) to passkeys or other hardware-linked login systems, but also to delete the passwords even as a secondary means of account access.
The good news for Gmail users — if one can put it that way — is that attackers are now finding that other means of pushing phishing links have become more effective than email. We have seen this trend coming for some time, not only is it easier to trick a user into clicking a link in a social media message or post, but it’s also easier to make it seem that the message or post has come from a trusted source is also more likely to be opened on a mobile device, where the small screen makes it much easier to hide the usual telltale signs of a fake message that are more apparent in email.
Beyond messaging, the other new trend is compromised search results, either directly targeting search engine optiimization or by pushing out targeted attacks through specialist sites and forums. “The top referrer was search engines,” Netskope says, “where attackers run malicious ads or use SEO poisoning techniques to get the phishing pages listed at the top of the search engine results for specific terms. Other top referrers included shopping, technology, business, and entertainment sites, where the referrals come from comments, malicious ads, and infected sites. The variety of phishing sources illustrates some creative social engineering by attackers. They know their victims may be wary of inbound emails (where they are repeatedly taught not to click on links) but will much more freely click on links in search engine results.”
I have reported on this SEO poisoning before, and it was a major theme as attacks surged during the holidays season from Black Friday through Cyber Monday and into the end-of-year holiday break.
The second type of attack is more hit and hope, but it’s where AI will have a wider impact. Mass attacks targeting thousands of even hundreds of thousands of addresses at a time will change. Most of the fraudulent or malicious emails hooked by Google or hitting your Gmail inbox still remain detectable. Enhancing the quality and the look and feel of such phishing lures, and even combining them with calls or other messages from seemingly trusted sources will trick millions of users.
But outside of work, those attackers need an address to target. Your Gmail addresses will be found on countless lists and in multiple leaks. You can be certain of that. This is why Google’s new shielded email addresses are so critical. Expected to come in a 2025 upgrade, these will enable you to stop giving out your real Gmail address to people or companies that ask for them. You can use aliases linking back to your real address, and then switch those off if you find they’re being targeted. Apple’s similar system is a sure fire way of drastically reducing phishing mails.
Gmail didn’t get off to a good start on the security and privacy front, but it’s much better now and its new upgrades make it an account worth keeping. But only if you use the new security upgrades and common sense to ensure you don’t lose your Gmail account (and those it leads to) to hackers or simply through lack of use.
Last month, I advised Apple users to run a Safety Check on their accounts, available through iPhone’s Security & Privacy settings. Google users should do the same. “This will show you who you’re sharing data with, the apps accessing your information, devices linked to your account and which can access your phone.”
Google says that “to protect your Google Account,” it “strongly recommends” using its account security checkup “regularly.” It’s very easy to do so. Just sign into your Google Account, tap or click on your profile picture, and then select “recommended actions.” The results are even color-coded. “Blue for security tips, yellow for important steps and red for urgent ones. A green shield with a check mark means your account is healthy and no immediate action is needed.”
All that said, it’s still much easier for an attacker to get hold of your email address than your cell number, and the simplicity of email phishing outplays all other options. The question for 2025 is whether the new optionality provided by AI enhancement changes any of these trends, as attacks land on target more often.
And just to keep minds fully focused, the stats are already alarming — per StationX’s most recent data:
- “Phishing is the single most common form of cyber crime. An estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders; this is over a trillion phishing emails per year.
- Email impersonation accounts for an estimated 1.2% of all email traffic globally.
- Around 36% of all data breaches involve phishing.
- 3% of employees will click on a malicious link within a phishing email.
- Remote workers may be more likely to be targeted than office-based employees. 80% of infosec professionals say they’ve seen increased security threats since the shift to remote working. 62% said that phishing attacks had increased more than any other type of threat.”
Google does offer a big red button to better secure your account—its Advanced Protection Program. But just as I advised Apple users, this is not for you unless “you’re a journalist, activist, or someone else at risk of targeted online attacks.” Don’t be lulled into opting in, thinking you need the ultimate level of protection if you don’t. It will stop many of your devices and services working as you’d expect them to.
Adhering to Google’s critical recommendations around passwords and MFA, the use of passkeys, and safe browsing will go a long way to keeping you safe. But none of that replaces the need to adhere to basic rules. No apps from outside official stores, no links, no attachments, and no sharing your primary email address when shielded email becomes available. You might also consider a new account and address if yours has been around a while and is already a honeypot for spam and phishing.
The other thing you must do to ensure you don’t lose your account is to keep using it of course. It’s a bit obvious, but if you allow accounts to run stale through lack of use, then Google will delete them. If you do have accounts you don’t use but want to keep, just make sure you log into them once in a while. Details here — but currently the timeline is set at two-years, so little chance of a surprise.