Beware the Google Email Lookalike: New Phishing Scam Uses Google’s Own Tools Against You

It looks like a legitimate security alert from Google, complete with the no-reply@accounts.google.com email and zero warnings from Gmail. But clicking the links in this highly sophisticated phishing email leads you to a fake support portal hosted on Google’s own sites.google.com. Developer Nick Johnson, who exposed the scam, warns that the phishing page cleverly exploits Google’s legacy infrastructure to appear trustworthy, even passing DKIM checks and showing up in your normal security alert threads. Once on the bogus portal, users are prompted to “View Case” or “Upload Documents.” These actions redirect to a fake sign-in page, harvesting your login credentials if entered.

Johnson attributes this to two major flaws in Google’s ecosystem: Sites' outdated scripting permissions and the lack of an easy abuse reporting system. He calls the exploit “too powerful a phishing vector” and urges Google to restrict scripts and embeds on Sites. Although Google initially brushed off Johnson’s concerns, they later admitted the issue exists and are rolling out a fix. In a statement, Google confirmed the attacks come from a threat actor known as Rockfoils and promised that new protections will be fully deployed soon. Until then, stay sharp—just because it looks like Google doesn’t mean it is Google.
Sources