Gmail’s New Encrypted Messages Feature Opens a Door for Scams

Google announced astatine the opening of April that it is launching a streamlined instrumentality that volition let concern users to easy nonstop “end-to-end encrypted” emails—an effort to code the longstanding situation of adding further information protections to email messages. The diagnostic is presently successful beta for endeavor users to effort retired wrong their ain organization. It volition past grow to let Google Workspace users to nonstop end-to-end encrypted emails to immoderate Gmail user. By the extremity of the year, the diagnostic volition let Workspace users to nonstop the much unafraid emails to immoderate inbox. Email spam and integer fraud researchers warn, though, that portion the diagnostic volition supply a caller enactment for email privateness and security, it volition besides inevitably spawn caller phishing attacks.

End-to-end encryption is simply a extortion that keeps information scrambled astatine each times but connected the sender and recipient's devices, and it is hard to adhd to the historical email protocol. Mechanisms to bash it are typically precise analyzable and costly to instrumentality and lone marque consciousness for ample organizations trying to conscionable circumstantial compliance requirements. In contrast, Google's end-to-end encrypted email instrumentality is elemental to usage and doesn't necessitate important IT overhead. The script integer fraud researchers are astir acrophobic about, though, relates to the script wherever a Workspace idiosyncratic sends an end-to-end encrypted email to a non-Gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to presumption the E2EE email successful a restricted mentation of Gmail,” Google wrote successful a blog post. “The recipient tin past usage a impermanent Google Workspace relationship to securely presumption and reply to the email.”

The fearfulness is that scammers volition instrumentality vantage of this caller and much unafraid connection mechanics by creating fake copies of these invitations that incorporate malicious links, and punctual targets to participate their login credentials for their email, azygous sign-on services, oregon different accounts.

“Looking astatine Google's implementation, we tin spot it introduces a caller workflow for non-Gmail users—receiving a nexus to presumption an email,” says Jérôme Segura, elder manager of menace quality astatine Malwarebytes. “Users mightiness not yet beryllium acquainted with precisely what a morganatic invitation looks like, making them much susceptible to clicking connected a fake one.”

Given email's method limitations, Google created a mode for an organization's Workspace to automatically negociate keys—used to descramble encrypted messages. Key absorption is what makes end-to-end encrypting email truthful difficult, truthful offering a solution that is casual for customers is simply a departure from what's presently available. The information that the organization's Workspace controls the keys alternatively than storing them locally connected a sender and recipient's devices does mean that the diagnostic doesn't rather suffice arsenic end-to-end encryption successful the strictest consciousness of the term. But researchers accidental that for usage cases similar concern compliance, the instrumentality could inactive beryllium highly useful. And individuals who privation end-to-end encrypted communications should conscionable usage a purpose-built app similar Signal.

When Gmail users person 1 of the caller encrypted emails from a Google Workspace user, Google's extended array of dynamic spam filters and fraud detection mechanisms volition beryllium successful play to support against spam, phishing, and rogue imposters broadly. But email users extracurricular the Google ecosystem volition besides beryllium capable to person encrypted email invitations, which makes the work disposable to anyone, but besides volition permission non-Google users to their ain devices.