“It really was sent from no-reply@google.com,” he explains. “It passes the DKIM signature check, and Gmail displays it without any warnings — it even puts it in the same conversation as other, legitimate security alerts,” which may raise questions around cloud-based security auditing and compliance with cybersecurity insurance protocols.
Not only this, but the ‘Sites link’ then takes you to “a very convincing support portal page,” which has a domain that looks ‘legit’ too — a common vector used in credential harvesting attacks with potential class-action liability risks.
Should you then click on “Upload additional documents” or “View case,” you’d also be taken to a sign-in page which is “an exact duplicate of the real thing” — opening the door for phishing-related financial damages, fraudulent access to digital health portals, and HIPAA breach concerns if sensitive medical data is involved.
“The only hint it’s a phish is that it’s hosted on instead of http://accounts.google.com,” he adds — a subtlety that could lead to identity theft, fraud claims, and cyber liability policy filings.
Johnson theorized the scam works by “harvest[ing] your login credentials” should you put them in, and then using them to compromise your account — a scenario where fraud protection services and data recovery insurance may become critical.
Unsurprisingly, he didn’t go further to check. But how was the phishing attack able to make itself look so believable?
