Google to Gmail users: Coronavirus phishing is targeting you. This is how we hit back

Google is adapting its machine-learning models for Gmail security to battle scammers, cybercriminals, and state-sponsored hackers exploiting fear over the COVID-19 coronavirus pandemic in phishing email attacks. 

The company says it blocked 18 million COVID-19 themed phishing emails last week. The blocked COVID-19 phishing emails targeting Gmail users would represent about 2.5% of the 100 million phishing emails Google said in 2019 it blocks daily. Google is also blocking 240 million COVID-related daily spam messages each day. 

The surge in coronavirus-themed phishing email and spam has prompted both Microsoft and Google to adjust product strategies to help protect customers from attackers. 

There hasn’t been an increase in overall phishing attacks, but attackers are tweaking messages to fit what’s likely to work under the current circumstances.

“We have put proactive monitoring in place for COVID-19-related malware and phishing across our systems and workflows. In many cases, these threats are not new – rather, they’re existing malware campaigns that have simply been updated to exploit the heightened attention on COVID-19,” Google said in a blogpost by Neil Kumaran, a product manager for Gmail Security, and Sam Lugani, a lead Security product marketing manager for G Suite and the GCP platform. 

The examples Google highlights are phishing email impersonating the World Health Organization (WHO) to dupe victims into donating to a fraudulent account or to distribute malware.

This tactic lines up with reports from Microsoft’s threat-intelligence teams, which found that coronavirus-themed attack email from scammers and cybercriminals have just been repurposed from older attacks.  

“We’re seeing a changing of lures, not a surge in attacks,” said Rob Lefferts, corporate vice president of Microsoft 365 Security

Following a Reuters report in March that state-sponsored attackers had targeted the World Healthcare Organization, Microsoft this week made AccountGuard available at no cost to healthcare providers and to human-rights and humanitarian organizations across the globe. 

The additional protection offers an anti-phishing shield to email accounts owned by highly targeted groups, such as people who work for political and human-rights organizations.   

Google’s equivalent, the Advanced Protection Program (APP), also recently gained new malware protections by automatically enabling Google Play Protect on Android devices with accounts enrolled in the program.

Last year it also made it easier for Gmail users to join APP by allowing enrollment with a smartphone’s security key instead of only physical security keys. The company in March claimed that no Gmail users enrolled in APP have been phished to date.  

However, Google has temporarily suspended enrollments for users who attempt to join the program with a phone’s built-in security key due to changes forced on it by the pandemic. Users with physical security keys can still enroll.

“Due to COVID-19, we’re making changes to protect the health of our workforce, resulting in changes to our enrollment process,” Google says on the Advanced Protection Program landing page

“While you can still enroll with two physical security keys, we are temporarily suspending enrollment with your phone’s built-in security key. If you are interested in enrolling with your phone’s built-in security key, join our waitlist.” 

Google notes that G Suite’s advanced phishing and malware controls are turned on by default, ensuring that all G Suite users automatically have these proactive protections in place. 

2020-04-161.png
Google has temporarily suspended enrollments for users who attempt to join the program with a phone’s built-in security   Image: Google

Hot this week

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Topics

The Hidden Costs of Overengineering Security

Complex security systems often create more vulnerabilities than they prevent by overwhelming teams with noise and maintenance demands while missing actual threats.

The True Cost of Chasing Compliance Over Security

Compliance frameworks create a false sense of security while modern threats evolve beyond regulatory requirements. Learn how to build actual protection rather than just checking boxes.

The Hidden Risk of Over Reliance on AI Security Tools

Over reliance on AI security tools creates dangerous blind spots by weakening human analytical skills. True resilience comes from balancing technology with continuous team training and critical thinking.

The Quiet Dangers of Overlooking Basic Security Hygiene

Basic security hygiene prevents more breaches than advanced tools, yet most teams overlook fundamentals while chasing sophisticated threats.

Your Password Strategy Is Wrong and Making You Less Secure

The decades-old advice on password complexity is forcing users into insecure behaviors. Modern security requires a shift to passphrases, eliminating mandatory rotation, and embracing passwordless authentication.

Why API Security Is Your Biggest Unseen Threat Right Now

APIs handle most web traffic but receive minimal security attention, creating massive unseen risks that traditional web security tools completely miss.

Security Teams Are Asking the Wrong Questions About AI

Banning AI tools is a failing strategy that creates shadow IT. Security teams must pivot to enabling safe usage through approved tools, clear guidelines, and employee training.

The Illusion of Secure by Default in Modern Cloud Services

Moving to the cloud does not automatically make you secure. Default configurations often create significant risks that organizations must actively address through proper tools and processes.
spot_img

Related Articles

Popular Categories