A recently introduced Gmail feature that allows users to change their email address is already being abused by cybercriminals in a new wave of phishing attacks. The tool lets users adopt a new Gmail address while keeping the old one as an alias, with all messages still routed to the same inbox. While designed for convenience, security experts warn it is now being used as bait in highly convincing scams.
Attackers are sending emails that appear to come directly from Google, often using legitimate-looking sender addresses such as no-reply@accounts.google.com. These messages typically reference a supposed address change or urgent security verification. Victims are told to confirm their identity or activate a new address through a link. Instead of leading to a genuine Google page, the link directs users to fraudulent websites designed to steal login credentials.
What makes the campaign particularly dangerous is the use of sites.google.com, a real Google platform for hosting user-created pages. Because the domain itself is legitimate, many spam filters do not block these links. The fake pages closely imitate Google support or security portals, increasing the chances that users will trust them.
If a Google account is compromised, the damage can extend far beyond email. Services tied to the account—such as Google Drive, Photos, and Calendar—can also be accessed. In addition, many people use Google accounts to log into third-party services, creating a potential chain reaction that exposes social media, shopping, and even financial accounts.
Security researchers had flagged similar tactics before the feature’s broader rollout, noting that attackers previously used Google-related infrastructure to distribute phishing emails. While Google said its systems were not breached, experts stress that new features often become immediate targets.
Users are advised to watch for red flags such as generic greetings, urgent threats, and requests to enter passwords through email links. Instead of clicking, they should manually open their browser and log into their Google account to check for real security alerts. Enabling two-factor authentication, using strong unique passwords, and staying cautious with unsolicited emails remain key defenses.
