New Gmail feature could open more users to phishing risks: Government officials

The Department of Homeland Security commented on a Gmail redesign.

July 17, 2018, 5:33 PM

Google is rolling out a sweeping redesign of its popular Gmail service, but federal cybersecurity authorities warn that a key new feature on the system could make its 1.4 billion users more susceptible to dangerous phishing attacks that compromise users’ vital personal information.

The Department of Homeland Security issued an intelligence note, obtained by ABC News, warning users of the "potential emerging threat ... for nefarious activity" with the new Gmail redesign. Because the new feature -- called "Confidential Email" -- requires users to click a link in order to access confidential emails, according to the DHS alert issued May 24, Google has essentially created an opportunity where "malicious cyber actors could exploit the recent Gmail redesign."

The intelligence note was distributed to law enforcement personnel and those who handle cybersecurity for private computer networks. It was published as part of DHS’ ongoing effort to keep up with emerging threats that could pose a danger to critical computer infrastructure like the computer networks operated by government agencies, banks and major businesses.

"We have reached out to Google to inform them of intelligence relevant to their services and to partner to improve our mutual interests in cybersecurity," Lesley Fulop, a Department of Homeland Security spokeswoman, told ABC News.

DHS has raised concerns, Google officials said, though stressing that the new features pose no additional security risk beyond what people are already exposed to online.

"Confidential Email" gives recipients access to content via a link and is designed to allow users to prevent the forwarding, copying, downloading or printing of emails; set an expiration date for confidential emails so the email is no longer accessible after that date; protect emails by allowing users to require recipients to go through a two-step security protocol; and revokes access to confidential emails – even after they have been sent -- so they can no longer be accessed by the recipient.

PHOTO: The new Google logo is displayed at the Google headquarters, Sept. 2, 2015 in Mountain View, Calif.
The new Google logo is displayed at the Google headquarters, Sept. 2, 2015 in Mountain View, Calif.
Justin Sullivan/Getty Images, FILE

But the feature “presents an opportunity for malicious cyber actors to mimic the e-mail message and phish unwary users,” according to the DHS intelligence note. Hackers use so-called phishing attacks to get users to input their personal information online, often by clicking seemingly trustworthy links.

Brooks Hocog, a Google spokesman, said the company is committed to ensuring the security of its users’ personal information and employs tools to protect that information. Google, he said, uses its “machine learning” algorithms -- a kind of artificial intelligence -- to detect whether incoming emails are potential phishing attempts, and they use image scans to find any hidden malicious content in emails.

Such efforts, among others, have led to the filtering out of more than 99.9 percent of phishing attempts in Gmail, Google said.

John Cohen, an ABC News contributor and former acting undersecretary of the Department of Homeland Security, said the concern about the new confidential email system is that it “may actually place users at a higher risk because it may support a pattern of behavior where people click on links they receive.”

Criminals, terrorist groups and foreign intelligence services are increasingly using cyberattacks to gain access to sensitive information, Cohen warned, adding that “in today’s threat environment, cybersecurity is a shared responsibility; nothing is more critical to the government, the private sector and the general public.”

Intelligence notes are common within the DHS but still serious, Cohen said. “They’re the primary method they use to provide updates and insights about emerging threats to private sector entities; state, local, and tribal governments; and sometimes other federal agencies,” he said.

Hocog, the Google spokesman, said the new Gmail redesign is taking additional measures to try to protect users from email attacks, like emphasizing security warnings in suspicious emails. When it comes to the “Confidential Email” feature, Hocog noted that not all users will need to click links to access them because the new Gmail redesign will display “Confidential Emails” automatically, meaning there is no extra clicking required.

Those who use the older Gmail app and web page will still have to click links but they will not be asked to enter their personal information. The biggest risks could be faced by those who use third-party mail apps or desktop programs -- like Apple Mail or Outlook -- because they will continue being asked to enter their Google personal information when accessing a “Confidential Email.”

Senior staff technologist Jeremy Gillula of the not-for-profit Electronic Frontier Foundation, a digital rights group, said the “Confidential Email” feature is a step in the wrong direction when it comes to online security. “The potential security risk of clicking links outweighs benefits of the feature,” Gillula told ABC News, explaining that the feature conditions users to automatically click on links they receive.

Cohen, the ABC News contributor, acknowledged that while the tech industry has a responsibility to protect consumers’ information, the general public has a responsibility as well.

“Those who spend a lot of time on email systems or perusing the internet need to keep up to date on different cyberthreats that are out there,” Cohen said. “One person can place at risk an entire information system. So it’s very important people don’t click on links when receiving suspicious emails, especially if they don’t recognize the sender.”

When asked about the security of the new feature, Gillula expressed doubts about its ability to protect users. He said that “if someone’s dedicated they can get around [the security features] even with little technological prowess … ‘Confidential Email’ recipients can take a screenshot, save the HTML file -- which would retain the email’s original content -- or even take a picture of it on their phone.”

While he does not know how the Gmail feature compares to other email services, he said the best way to stay secure online is not to click on links in emails.

For now, users have to choose to opt in to the new Gmail system to access the “Confidential Email” feature but they do not have to opt in to the new service in order to receive “Confidential Emails.” The company has announced that the redesign will replace the old system entirely by the end of this year.