Gmail DKIM replay phishing scam: How cybercriminals bypass Google’s security and what you must do to stay safe

A new Gmail phishing campaign has emerged that uses a method called DKIM(DomainKeys Identified Mail) replay to trick recipients into believing that emails are genuinely from Google. According to cybersecurity firm Innefu Labs, attackers have found a way to reuse Google’s valid digital email signatures, bypassing traditional spam and phishing detection systems.

The emails appear legitimate and come with alarming messages about subpoenas, legal notices, or urgent data handovers — psychological tactics meant to pressure the reader into clicking malicious links.

🔍 How the DKIM Replay Phishing Works

Step-by-step breakdown:

1. Capture of a Legitimate Email:

   • Attackers first intercept or receive a genuine, signed email from Google, such as a security alert or system notification.

   • This email contains a valid DKIM signature – a form of digital verification used to prove the email is from Google.

2. Replay with Malicious Intent:

   • The hackers then “replay” this message by resending it to other users, sometimes altering links within the email to redirect to malicious sites.

   • Despite being altered, the email still passes DKIM verification, which tricks Gmail and other systems into trusting it.

3. Use of Google-Owned Infrastructure:

   • The phishing emails often include links that lead to web pages hosted on sites.google.com — a Google-owned domain.

   • This further increases credibility in the eyes of recipients and avoids spam filters.

4. Phishing Execution:

   • On the spoofed landing page, victims are prompted to log in or enter sensitive credentials, thinking it’s a secure Google platform.

   • These details are then harvested by the attackers.

📉 Why This Scam Is So Dangerous

• Bypasses Google’s Security Protocols: Traditional email filters that rely on DKIM, SPF, and DMARC pass the email as authentic.

• Uses Google’s Own Infrastructure: Makes it harder to detect because users are being redirected to what looks like a legitimate Google domain.

• Psychological Manipulation: The mention of legal subpoenas or government data requests creates urgency and fear.

• Highly Scalable: Once a valid email is obtained, it can be replicated and sent to thousands of users.

🛡️ How to Protect Yourself

1. Enable Two-Factor Authentication (2FA):

   • Google recommends using 2FA or passkeys to prevent unauthorized access, even if your credentials are stolen.

2. Never Click Links in Suspicious Emails:

   • If you’re unsure about an email, type the URL directly into your browser instead of clicking embedded links.

3. Inspect the Email Header:

   • Use Gmail’s “Show Original” feature to examine DKIM and SPF details — although this is more for advanced users.

4. Stay Updated on Scams:

   • Regularly follow cybersecurity advisories from trusted sources like Google, CERT, and security blogs.

5. Use Security Software with Phishing Protection:

   • Enable tools or plugins that warn against phishing attempts, even those hosted on deceptive domains.

🗣️ Expert Commentary

Tarun Wig, Co-founder and CEO of Innefu Labs, stated:

“This is one of the most sophisticated phishing attacks we’ve seen. It bypasses traditional filters and appears entirely legitimate to most users. This isn’t a loophole in Google’s system, but rather a clever exploitation of trust-based email verification.”

He further emphasized that while Google has not technically done anything wrong, the loophole exploits a fundamental flaw in how email trust is built, especially with third-party usage of previously signed emails.

📬 What Google Has Said

Google has acknowledged the issue, stating that their systems are equipped with additional protections against such abuses and that they are actively working to prevent exploitation of their infrastructure.

They also remind users to:

• Use strong passwords.

• Enable passkeys or 2-step verification.

• Regularly review account activity.

🧠 Conclusion

This new Gmail phishing scam represents a dangerous evolution in cyber threats. By exploiting digital trust mechanisms like DKIM and hosting malicious content on Google’s own services, attackers are making it harder than ever for users to distinguish real from fake.

Your best defense is vigilance, education, and the use of strong authentication tools.

Asaase Broadcasting Company airs on Asaase 99.5 Accra, Asaase 98.5 Kumasi, Asaase 99.7 Tamale, Asaase 100.3 Cape Coast, AsaasePa 107.3 (Accra).Affiliates: Bawku FM 101.5, Bead FM 99.9 (Bimbilla), Mining City Radio 89.5 (Tarkwa), Nandom FM 101.9, Nyatefe Radio 94.5 (Dzodze), Sissala Radio 96.3 (Tumu), Somuaa FM 89.9 (Gushegu), Stone City 90.7 (Ho) and Wale FM 106.9 (Walewale).Listen online: asaaseradio.com, Sound Garden and TuneIn.Follow us:X: @asaaseradio995, @Asaase985ksi, @Asaase997tamale, @asaase1003, asaasepa1073Instagram: asaaseradio99.5, asaase985ksi, asaase100.3, asaase99.7tamale, asaasepa107.3LinkedIn: company/asaaseradio995. TikTok: @asaaseradio99.5Facebook: asaase99.5, asaase985ksi, Asaase100.3, asaase99.7, AsaasePa107.3.YouTube: AsaaseRadioXtra.Join the conversation. Accra: call 020 000 9951/054 888 8995, WhatsApp 020 000 0995. Kumasi: call 059 415 7985 or call/WhatsApp 020 631 5260. Tamale: call/WhatsApp/SMS 053 554 6468. Cape Coast: call/WhatsApp 059 388 2652.#AsaaseRadio.#AsaasePa #TheVoiceofOurLand