Gmail is under attack. That phrase should send shivers down your spine if you are one of the more than 3 billion people who use the world’s most popular email platform. The latest in a long line of threat campaigns is particularly dangerous in that it appears to come from Google itself. But with threat actors continually changing-up their attack methodologies, becoming increasingly more sophisticated thanks to the use of AI, and even employing automatic password hacking machines in their attacks, the danger to your email account and the data it unlocks continues to mount.
Google is, of course, fighting back with upgraded security protections but the danger continues. If you fall victim to the latest Gmail hack attack, or any other that locks you out of your Google account, Google has said that you have seven days to get it back. Here’s what you need to know and do.
The latest Gmail hack attack involves a sophisticated phishing campaign that employs the use of an OAuth application and what has been described as a “creative DomainKeys Identified Mail workaround” to fool victims into thinking a security alert email originated from Google itself. In other words, it has managed to bypass the exact protections that Google has put in place to help prevent such attacks in the first place.
The good news is that Google has confirmed it is putting out updated protections that counter the threat methodology used in this attack. “These protections will soon be fully deployed,” a spokesperson said, “which will shut down this avenue for abuse.”
A Google spokesperson has also told me that anyone who finds themselves locked out of their Gmail account following a successful attack, where the hacker has changed their account password and recovery methods, still has seven days in which they can undo the damage and regain access to that hacked account.
Do Not Make Calls On Your Phone If You Get This Message
If you receive a message like this, do not make calls on your phone. Instead, follow these steps:
Act quickly is the key to successful recovery if an attacker has compromised a Google account and changed the password, or even added a passkey, to prevent the legitimate owner from being able to access it. Using “phishing-resistant authentication technologies, such as security keys or passkeys,” in the first place, as advised by Google spokesperson Ross Richendrfer, is highly recommended to prevent finding yourself in this situation in the first place.
However, if you do fall victim, all hope is not lost. According to Richendrfer, “We recommend all users to set up a recovery phone as well as a recovery email on their account.” These can be used in cases where users forget their own passwords, or an attacker changes the credentials after hijacking the account.
Following a Gmail hack, even if the attacker has changed your recovery telephone number, Richendrfer advised that you have 7 days in which that number can still be used to regain control of, and access to, your Gmail account. The same applies to your recovery email. “When you change your recovery email,” Richendrfer said, “you may be able to get a callback from Google within just one minute.”
Getting Human Help Recovering After A Gmail Hack Attack
If you subscribe to Google One’s premium service, then you may be able to get that human assistance. This is because Google One Premium brings with it the benefit of “enhanced access to support” alongside extra data, storage and dark web monitoring.
Although I have not been able to find a definitive answer from Google as to what, exactly, is covered by this enhanced access to support, I have done a bit of digging around the various options offered to me as a Google One premium subscriber myself. By describing an issue of not being able to access my Gmail account as I had been locked out by attackers, I was presented with a number of support options which narrowed the problem down even further and eventually led me to an option to get a callback from Google.
What’s more, during the research, I was promised this callback within a waiting time of just one minute. An online chat option was also offered for those who prefer not to speak, although the waiting times for such a response were considerably longer.