Google security checkup emails have been hitting inboxes over the past few days. The purpose of the emails is to get Google email account holders to check their security settings as potential vulnerabilities have been discovered – Vulnerabilities that could potentially be exploited by malicious actors to take control of users’ email accounts and view potentially sensitive information contained therein.
The Google security emails may have been sent with the best intentions; however, the format, design, and wording of the emails bear an uncanny resemblance to phishing emails. Many recipients of the Google security checkup emails have questioned the authenticity of the emails via social media.
The emails have the subject line “Resolve X Security Issues on your Google Account” where X is the number of issues Google has discovered that make the account vulnerable. Similarly themed emails warning of security problems with accounts are commonly sent by cybercriminals.
The emails themselves are also somewhat phishy. There is urgency, with users advised to take actions to make their accounts more secure. The details supplied in the emails are also somewhat vague. Clicking on the link requires the user to enter their login details for their Google account, which is similarly a way that phishers gain access to accounts.
While the emails sent by Google are genuine, the mass mailing of emails is unlikely to have escaped the attention of scammers. It would be easy to recreate an email that looks almost identical to those sent by Google, which could easily fool users into clicking and revealing their email credentials to scammers.
Some security experts have voiced their concern on social media sites about the Google security checkup emails, suggesting that by sending emails in this format, Google is conditioning end users into thinking emails such as these are genuine. Many users could fall for similar phishing emails that arrive in their inboxes as a result. The format of the emails reinforces bad security hygiene, even though the emails are intended to get users to act and improve security on their accounts.
Google was contacted about the phishy security alerts by Motherboard and explained that these emails were the result of extensive tests, with the format chosen as it had the highest click rates. The lack of information in the emails was also deliberate so as not to tip off hackers as to what was wrong with the accounts.
The high response rate to the emails also shows how susceptible users are to phishing emails impersonating Google, and the importance of providing security awareness training to employees. The Google security checkup emails would be good templates to add to phishing simulation exercises to test how likely employees are to respond to phishing emails spoofing Google.