All change for Gmail
NurPhoto via Getty Images
You are not ready for the threat landscape in 2025. None of us are. This new world is one in which attackers can scrape social media and target us with the familiar tone and content from those we know in ways we can’t detect. And it can do so on an industrial scale, automatically and instantly, all through AI. There is one thing you can do to secure your account before it’s too late.
Google is advancing its own AI defenses to combat these threats — but it can’t succeed, not entirely. And while the company says it now detects “more than 99.9% of spam, phishing and malware in Gmail… blocking unwanted and potentially dangerous messages before they even reached inboxes,” much of this relies on what we have seen before—patterns and trends. This new world changes everything, AI can tweak every email, polish copy, clinically match imagery, and even adapt on the fly.
Gmail is the world’s largest email platform, with some 2.5 billion users it says. As such it’s the world’s biggest email threat. Successfully attack Gmail and you open a world of opportunity. As McAfee warns for 2025, “the risks to trust and safety online have never been greater… That’s why it’s more important than ever for consumers to stay informed about these emerging threats.”
But as sophisticated as these advances might be, to succeed they rely on each of us making a mistake within our own ecosystems. Downloading and opening an attachment, clicking a link, entering information into a malicious website — not checking carefully and letting our guards down. And the one mistake we have all already made is being much too casual in providing our personal contact details.
SlashNext’s 2024 State of Phishing report painted exactly this picture, with “an unprecedented surge in attack volume,” the research team detected a “202% increase in phishing messages in the second half of 2024, and credential phishing attacks rising 703% in the same period.”
In practical terms this means every inbox attacked every week, with novel threats coming constantly. “Our analysis shows that 80% of malicious links in attacks are previously unknown zero-day threats, demonstrating that traditional threat intelligence and signature-based detection methods are increasingly ineffective against modern, AI-powered attack campaigns.”
And just as McAfee, Check Point and others now warn, the prospects for 2025 are much worse. “We expect this rapid evolution to accelerate, with AI-generated attacks becoming more sophisticated and harder to detect,” SlashNext says.
There are two types of attacks you need to worry about. The first is highly targeted, and will usually hit you at work. This is where the really powerful AI is being deployed, with attackers mapping organizations and conducting sophisticated operations to steal money or data or both. Successful detection requires user training, strict adherence to rules and IT security. But as The Financial Times warned last week, “phishing scams generated using AI may also be more likely to bypass companies’ email filters and cyber security training.”
The second is more hit and hope, but it’s where AI will have a much wider impact. Mass attacks targeting thousands of even hundreds of thousands of addresses at a time will change. Most of the fraudulent or malicious emails hooked by Google or hitting your Gmail inbox still remain detectable. Enhancing the quality and the look and feel of such phishing lures, and even combining them with calls or other messages from seemingly trusted sources will trick millions of users.
But outside of work, those attackers need an address to target. Your Gmail addresses will be found on countless lists and in multiple leaks. You can be certain of that. This is why Google’s new shielded email addresses are so critical. Expected to come in a 2025 upgrade, these will enable you to stop giving out your real Gmail address to people or companies that ask for them. You can use aliases linking back to your real address, and then switch those off if you find they’re being targeted. Apple’s similar system is a sure fire way of drastically reducing phishing mails.
Gmail didn’t get off to a good start on the security and privacy front, but it’s much better now and its new upgrades make it an account worth keeping. But only if you use the new security upgrades and common sense to ensure you don’t lose your Gmail account (and those it leads to) to hackers or simply through lack of use.
Last month, I advised Apple users to run a Safety Check on their accounts, available through iPhone’s Security & Privacy settings. Google users should do the same. “This will show you who you’re sharing data with, the apps accessing your information, devices linked to your account and which can access your phone.”
Google says that “to protect your Google Account,” it “strongly recommends” using its account security checkup “regularly.” It’s very easy to do so. Just sign into your Google Account, tap or click on your profile picture, and then select “recommended actions.” The results are even color-coded. “Blue for security tips, yellow for important steps and red for urgent ones. A green shield with a check mark means your account is healthy and no immediate action is needed.”
Google does offer a big red button to better secure your account—its Advanced Protection Program. But just as I advised Apple users, this is not for you unless “you’re a journalist, activist, or someone else at risk of targeted online attacks.” Don’t be lulled into opting in, thinking you need the ultimate level of protection if you don’t. It will stop many of your devices and services working as you’d expect them to.
Adhering to Google’s critical recommendations around passwords and MFA, the use of passkeys, and safe browsing will go a long way to keeping you safe. But none of that replaces the need to adhere to basic rules. No apps from outside official stores, no links, no attachments, and no sharing your primary email address when shielded email becomes available. You might also consider a new account and address if yours has been around a while and is already a honeypot for spam and phishing.
The other thing you must do to ensure you don’t lose your account is to keep using it of course. It’s a bit obvious, but if you allow accounts to run stale through lack of use, then Google will delete them. If you do have accounts you don’t use but want to keep, just make sure you log into them once in a while. Details here — but currently the timeline is set at two-years, so little chance of a surprise.
