Google is rolling out a sweeping redesign of its popular Gmail service, but federal cybersecurity authorities warn that a key new feature on the system could make its 1.4 billion users more susceptible to dangerous phishing attacks that compromise users’ vital personal information.
The Department of Homeland Security issued an intelligence note, obtained by ABC News, warning users of the “potential emerging threat … for nefarious activity” with the new Gmail redesign. Because the new feature — called “Confidential Email” — requires users to click a link in order to access confidential emails, according to the DHS alert issued May 24, Google has essentially created an opportunity where “malicious cyber actors could exploit the recent Gmail redesign.
Eyal Benishti, CEO & Founder at IRONSCALES:
“Phishing is already a prevalent threat individuals and organisations face, and features like the one introduced by Google in this case is just making it even easier for nefarious actors to exploit victims. It is so difficult for even trained eyes to spot a sophisticated phishing attempt- how are users meant to differentiate between a real ‘confidential link’ and a fake? Of course, it will be near impossible- exactly what the criminals want.
Until this feature is revoked by Gmail, it is imperative to help users identify well-crafted impersonation techniques, in order to avoid a potential cybersecurity incident. By employing mailbox level detection that tracks user behaviour analysis and sender reputation scoring to build a picture of what is deemed normal behaviour, anomalies in communications and meta data are easily spotted and automatically flagged as suspicious, in tandem providing a mechanism for employees that do spot something amiss in a message to report their findings via inmail alerts, which together allows quick reporting via an augmented email experience, helping the user make better decisions that ultimately helps protect the enterprise.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.