Google to Gmail users: Coronavirus phishing is targeting you. This is how we hit back

But pandemic means you now can't enroll in Google's Gmail anti-phishing program using a smartphone's security key.
Written by Liam Tung, Contributing Writer

Google is adapting its machine-learning models for Gmail security to battle scammers, cybercriminals, and state-sponsored hackers exploiting fear over the COVID-19 coronavirus pandemic in phishing email attacks. 

The company says it blocked 18 million COVID-19 themed phishing emails last week. The blocked COVID-19 phishing emails targeting Gmail users would represent about 2.5% of the 100 million phishing emails Google said in 2019 it blocks daily. Google is also blocking 240 million COVID-related daily spam messages each day. 

The surge in coronavirus-themed phishing email and spam has prompted both Microsoft and Google to adjust product strategies to help protect customers from attackers. 

There hasn't been an increase in overall phishing attacks, but attackers are tweaking messages to fit what's likely to work under the current circumstances.

SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)

"We have put proactive monitoring in place for COVID-19-related malware and phishing across our systems and workflows. In many cases, these threats are not new – rather, they're existing malware campaigns that have simply been updated to exploit the heightened attention on COVID-19," Google said in a blogpost by Neil Kumaran, a product manager for Gmail Security, and Sam Lugani, a lead Security product marketing manager for G Suite and the GCP platform. 

The examples Google highlights are phishing email impersonating the World Health Organization (WHO) to dupe victims into donating to a fraudulent account or to distribute malware.

This tactic lines up with reports from Microsoft's threat-intelligence teams, which found that coronavirus-themed attack email from scammers and cybercriminals have just been repurposed from older attacks.  

"We're seeing a changing of lures, not a surge in attacks," said Rob Lefferts, corporate vice president of Microsoft 365 Security

Following a Reuters report in March that state-sponsored attackers had targeted the World Healthcare Organization, Microsoft this week made AccountGuard available at no cost to healthcare providers and to human-rights and humanitarian organizations across the globe. 

The additional protection offers an anti-phishing shield to email accounts owned by highly targeted groups, such as people who work for political and human-rights organizations.   

Google's equivalent, the Advanced Protection Program (APP), also recently gained new malware protections by automatically enabling Google Play Protect on Android devices with accounts enrolled in the program.

Last year it also made it easier for Gmail users to join APP by allowing enrollment with a smartphone's security key instead of only physical security keys. The company in March claimed that no Gmail users enrolled in APP have been phished to date.  

However, Google has temporarily suspended enrollments for users who attempt to join the program with a phone's built-in security key due to changes forced on it by the pandemic. Users with physical security keys can still enroll.

SEE: Google Meet now available via Gmail for G Suite customers

"Due to COVID-19, we're making changes to protect the health of our workforce, resulting in changes to our enrollment process," Google says on the Advanced Protection Program landing page

"While you can still enroll with two physical security keys, we are temporarily suspending enrollment with your phone's built-in security key. If you are interested in enrolling with your phone's built-in security key, join our waitlist." 

Google notes that G Suite's advanced phishing and malware controls are turned on by default, ensuring that all G Suite users automatically have these proactive protections in place. 


Google has temporarily suspended enrollments for users who attempt to join the program with a phone's built-in security  

Image: Google
Editorial standards