Johnson says there’s “no way to report abuse from the Sites interface too,” meaning it’s easier for the phishers to simply upload new versions of “arbitrary scripts and embeds” — a tactic commonly tied to phishing-as-a-service (PhaaS) models and enterprise IT risk exposure.
Johnson recommends Google “disable scripts and arbitrary embeds in Sites” as they’re “too powerful a phishing vector” — advice supported by many information security compliance experts and network penetration testing firms.
However, he notes the email is “much more sophisticated.” So, how did Johnson spot it was dodgy How to spot a phishing email Johnson points out the “first clues” come with the header of the email.
“Although it was signed by it was emailed by, and sent to ‘me@blah,’” he states — revealing inconsistencies that trained cyber forensics analysts or digital security consultants often flag.
And the “second clue”? “Below the phishing message is a lot of whitespace (mostly not shown) followed by ‘Google Legal Support was granted access to your Google Account’ and the odd me@…
Email address again,” Johnson flags — a red flag for those managing account recovery insurance, anti-fraud alert systems, and email gateway protection.
