Gmail’s New Encrypted Messages Feature Opens a Door for Scams

Google announced at the beginning of April that it is launching a streamlined tool that will allow business users to easily send “end-to-end encrypted” emails—an effort to address the longstanding challenge of adding additional security protections to email messages. The feature is currently in beta for enterprise users to try out within their own organization. It will then expand to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, the feature will allow Workspace users to send the more secure emails to any inbox. Email spam and digital fraud researchers warn, though, that while the feature will provide a new option for email privacy and security, it will also inevitably spawn new phishing attacks.

End-to-end encryption is a protection that keeps data scrambled at all times except on the sender and recipient’s devices, and it is difficult to add to the historic email protocol. Mechanisms to do it are typically very complicated and costly to implement and only make sense for large organizations trying to meet specific compliance requirements. In contrast, Google’s end-to-end encrypted email tool is simple to use and doesn’t require significant IT overhead. The scenario that digital fraud researchers are most concerned about, though, relates to the case where a Workspace user sends an end-to-end encrypted email to a non-Gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest Google Workspace account to securely view and reply to the email.”

The fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.

“Looking at Google’s implementation, we can see it introduces a new workflow for non-Gmail users—receiving a link to view an email,” says Jérôme Segura, senior director of threat intelligence at Malwarebytes. “Users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”

Given email’s technical limitations, Google created a way for an organization’s Workspace to automatically manage keys—used to descramble encrypted messages. Key management is what makes end-to-end encrypting email so difficult, so offering a solution that is easy for customers is a departure from what’s currently available. The fact that the organization’s Workspace controls the keys rather than storing them locally on a sender and recipient’s devices does mean that the feature doesn’t quite qualify as end-to-end encryption in the strictest sense of the term. But researchers say that for use cases like business compliance, the tool could still be extremely useful. And individuals who want end-to-end encrypted communications should just use a purpose-built app like Signal.

When Gmail users receive one of the new encrypted emails from a Google Workspace user, Google’s extensive array of dynamic spam filters and fraud detection mechanisms will be in play to protect against spam, phishing, and rogue imposters broadly. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service available to anyone, but also will leave non-Google users to their own devices.