How to spot phishing emails in Gmail (and protect your account)

Why are phishing emails getting harder to spot?

Because they’re getting smarter.

In April 2025, Google issued a warning to its 3 billion Gmail users about a phishing attack so clever it used Google’s own infrastructure to look completely legit.

These weren’t your usual dodgy spam messages.

Cyber criminals found a way to send emails that passed all the usual security checks, DKIM, SPF, and DMARC, making them look like genuine emails from no-reply@google.com. And they weren’t flagged as spam.

That’s a problem. A big one.

How did scammers make fake Google emails look real?

The attack was complex, but here’s the short version:

• They registered a domain with Google
• Created a Google Account using that domain
• Built a fake OAuth app with the phishing message as its name
• Used Google’s own systems to send out emails

Because the messages were signed by Google, they passed authentication. So even trained eyes would struggle to spot the fake.

That’s like a fake ID made by the passport office.

What tricks do these phishing emails use?

🚨 They create urgency

• “Your account has been compromised.”
• “Unusual login detected.”
• “Payment failed – update now.”

It’s all designed to make you panic and click.

🧠 They use personal details

Attackers use social engineering, scouring LinkedIn or Facebook for your job title, school, or recent events, then tailor messages to feel familiar.

You drop your guard because it sounds real.

How do I tell a fake Google email from a real one?

📩 They ask for personal info

Google will never email asking for:

• Passwords
• Credit card numbers
• Bank details
• Social Security numbers
• Your mum’s maiden name

🔗 They include suspicious links

Always hover over links to preview the real URL. If it doesn’t go to google.com, close the tab and walk away.

🕵️‍♀️ They mask dodgy domains

Click on the sender’s name in Gmail. If it shows something strange like security.alerts@googl3.com, it’s a scam.

🔐 They trick DKIM

This April’s attack even passed DKIM checks. That’s like someone copying your signature perfectly — and it worked because DKIM only verifies parts of the email, not the full envelope.

How can I protect my Gmail account?

Here’s a checklist worth bookmarking.

✅ Enable two-factor authentication (2FA)

Even if someone gets your password, they can’t log in without the second code.

✅ Use Google’s Security Checkup

This free tool reviews devices, third-party apps, and settings that could leave you exposed.

✅ Turn on Enhanced Safe Browsing

This Google feature offers real-time protection against dodgy sites and downloads. According to Google, it reduces phishing risk by 35%.

✅ Regularly review third-party app access

OAuth-based attacks use this route. Revoke access for apps you don’t recognise.

✅ Keep your browser and devices updated

Patches fix known vulnerabilities attackers love to exploit.

And don’t forget your brain

Even the best tech can’t protect you if you click on something without thinking. Stay sharp:

• Don’t click links in emails asking you to “verify” anything
• Check sender addresses and look for weird spellings or domains
• Report dodgy emails to Google — it helps everyone
• Trust your gut — if something feels off, it probably is

Real talk: Even Google got caught out

This isn’t about blaming users. If Google’s own systems can be manipulated, it shows how smart today’s scammers have become.

Cyber criminals send 3.4 billion phishing messages every day. Google blocks about 100 million. The rest? That’s where human awareness kicks in.

Key takeaways

• Recent Gmail phishing scams use Google’s own servers to pass security checks
• OAuth and DKIM exploitation made fake emails look real
• Enhanced Safe Browsing and 2FA reduce your risk significantly
• Don’t trust urgency or unexpected requests for sensitive info
• Stay alert and report anything suspicious

Need to level up your business’s cyber security?

If you’re using Gmail for your business (or even just personally), it’s time to take this seriously.

Cloud & More works with businesses across The home counties, London, and Bristol to keep inboxes safe, train teams to spot phishing, and help you sleep easier at night knowing we’re on it.

Let’s make your IT security feel as solid as your morning coffee.