Google Confirms Gmail Phishing Attack, Urges Users to Stop Using Passwords

Google has confirmed a sophisticated phishing attack targeting Gmail users, exploiting vulnerabilities in its infrastructure and advanced social engineering tactics. The attack involves emails that appear to come from legitimate Google addresses, pass security checks like DKIM, and are used to lure users into credential phishing sites. A notable victim was an Ethereum developer who received a convincing subpoena-themed email, illustrating how even experienced users can be deceived. In response, Google is rolling out new protections to block this attack vector, but urges users to stop relying on passwords—including those with SMS-based two-factor authentication. Instead, the company recommends switching to passkeys and device-based authentication methods, which offer stronger resistance against phishing attempts. Users are also advised to maintain robust security practices, such as using antivirus software and avoiding public Wi-Fi.