Hackers are so skilled at creating fake Google emails that even security professionals are falling for their tricks.

Google’s capabilities are now being used by cybercriminals to produce phishing emails that appear so authentic that even experts are falling for them. These emails, which seem to be from official-looking addresses like “no-reply@google.com,” alert the recipient of an urgent court summons pertaining to a police investigation into their Google account.
The attackers are fabricating phishing pages and help portals using Google Sites, a trustworthy web-building tool. The phishing email leads to what appears to be a Google page and appears to be an official legal warning, but it actually takes readers to a malicious website on sites.google.com.
The Reason It Gets Around Security
The fraud deftly gets beyond DKIM authentication, which is typically a warning sign for email forging, according to security firm EasyDMARC. The trick? Scammers merely use the entire phishing message as the name of a phony Google Sites application. After that, Google automatically sends an email from its servers, passing security checks like DKIM and giving the impression that it is authentic.
Google’s Reaction
Ross Richendrfer, a spokesman for Google’s Gmail Security Communications, acknowledged the attack vector and said:
Prominent people have previously fallen victim to the fraud, including Nick Johnson, the developer of Ethereum Name Service, who reported the problem as a security flaw. Google first claimed that the behavior was “working as intended,” but in response to criticism from the public, the corporation started developing a solution to seal the vulnerability.