Cybersecurity experts are warning Gmail users about scams exploiting a new Google feature that lets users create a new address while keeping their old one as an alias.
The update, rolled out earlier this month, is meant to help users replace old email addresses.
But scammers are sending fraudulent emails about the change, attempting account takeovers and phishing attacks.
The messages often claim a ‘Gmail address change’ or request security confirmation, appearing convincing because they come from real Google addresses like [email protected] .
Victims are instructed to confirm a new address or verify their account, with links that appear like official Google support pages.
In reality, the links lead to fake websites hosted on sites.google.com, designed to mimic Google’s login and security screens.
If attackers succeed, they can access Gmail and all connected Google services, including Drive, Photos, Calendar, and third-party accounts linked to Google logins.
Users are advised to delete any suspicious emails and avoid clicking on links or sharing personal information.
Gmail users should be on the look out for malicious emails asking them to verify their accounts
Daily Mail has contacted Google for comment.
Google launched the feature that lets users replace their existing @gmail.com address with a new one.
Tech expert Kurt Knutsson wrote for FOX News: ‘Given that Gmail has close to 2 billion active accounts, this update affects almost everyone.
‘It also helps people who stopped using an old Gmail address tied to a past job, a move or a major life change.’
However, taking advantage of the update does not mean users lose their past emails.
Your existing inbox and all past emails will remain intact, Knutsson explained.
Files and folders stored in Google Drive will stay in place, along with your Google Photos and backup data.
Any purchase history, subscriptions, or connected services linked to your account will also be preserved.
Emails claiming a ‘Gmail address change’ or requesting a security confirmation are now circulating, appearing particularly convincing because they come from real Google addresses like ‘[email protected]’
However, cybercriminals are taking advantage of the welcome update with a new scam campaign.
Even the most convincing phishing emails often contain warning signs if you know what to look for.
Cyber experts warned that one red flag is a generic greeting, such as ‘Dear customer,’ instead of your real first and last name.
Another warning is urgent language that threatens account suspension, deletion, or financial consequences, which is intended to make you act without thinking.
Emails asking you to enter passwords or other sensitive information through a link are particularly dangerous.
These links often lead to fake websites designed to look like Google’s official pages, allowing scammers to steal your login credentials.
Google advises users never to click links in emails and to check security alerts directly through their accounts.
By manually opening a browser and navigating to your Google account, you can verify alerts, which will usually include details such as the device used, time, and location of access.
Last week, it was revealed that millions of Gmail users’ credentials had been leaked online.
Cybersecurity researcher Jeremiah Fowler uncovered a database of 149 million compromised credentials.
The largest batch of stolen credentials was from Gmail, with an estimated 48 million, followed by Facebook with 17 million, 6.5 million were linked to Instagram, four million from Yahoo Mail, Netflix credentials totaled to around 3.4 million and there were 1.5 million from Outlook.
Other notable login information was linked to iCoud, .edu, TikTok, OnlyFans and Binance.
