What’s Going On — New Gmail Address Feature & Scam Alerts
Google has begun rolling out a new feature that lets @gmail.com users change their Gmail address while keeping their existing data and services intact — something not previously allowed. This change is intended to give users more control over their digital identity and make it easier to update old or unwanted addresses. (cryptika.com)
However, cybercriminals are exploiting this feature in sophisticated phishing campaigns by sending fake emails that appear to come from Google, urging users to “confirm” a Gmail address change or take action on their account. These emails may look legitimate — even coming from apparently official addresses — but lead to credential‑stealing sites designed to take over Gmail accounts. (PCWorld)
Case Study 1 — Phishing Emails Masquerading as Gmail Address Change Notices
According to PCWorld, scammers are sending phishing emails that look like genuine Gmail system messages about the new address change feature. These emails:
- Claim that a necessity action is required, e.g., confirming your new Gmail address, or verifying your identity.
- Include links to what appears to be official Google support or sign‑in pages.
- Instead direct users to fake credential‑harvesting sites, sometimes hosted on sites.google.com, a legitimate Google domain that can bypass some email filters. (PCWorld)
Why this is dangerous:
Because attackers use real Gmail domain components and familiar formatting, the messages can appear highly credible, tricking even vigilant users into entering their passwords. (PCWorld)
Case Study 2 — Spoofed Sender Addresses & Bypass of Spam Filters
Cybersecurity experts have noted that many of these scam emails spoof official Google sending addresses, such as:
no‑[email protected]- Email display names that look like real Gmail messages
Combined with links to Google Sites, this enables attackers to create highly convincing phishing pages that spam filters and security scanners may not easily block — significantly increasing the risk of credential theft if users aren’t cautious. (PCWorld)
Commentary & Expert Analysis
Security professionals are warning that:
The new Gmail address change feature, while useful, creates a window of opportunity for phishing campaigns targeting unsuspecting users. (PCWorld)
Attackers often embed fake forms on seemingly legitimate domains — like sites.google.com — that can trick filters and users alike. (PCWorld)
Even if an email looks like it comes from Google, this doesn’t guarantee legitimacy — users must verify the destination of all links before entering sensitive information. (PCWorld)
Security analysts recommend that users never click links in unsolicited emails and always navigate directly to https://mail.google.com or https://myaccount.google.com to check for security alerts. (PCWorld)
Official & Practical Advice
Google (and security sources) advise the following to protect Gmail accounts:
Recognise & Avoid Scams
- Google will never ask you to enter your password via email links — especially for a new feature like username changes.
- If an email mentions urgent action or threats (“your account will be closed!”), treat it with suspicion.
- Always inspect the actual URL behind links by hovering before clicking — phishing pages will often hide suspicious domain names. (PCWorld)
Strengthen Account Security
- Enable Two‑Factor Authentication (2FA) — this adds a second verification step even if your password is stolen.
- Use unique, strong passwords for your Google account that aren’t reused across sites.
- Regularly review recent security activity in your Google account settings to spot unauthorized access.
- Report suspicious emails via Gmail’s “Report phishing” option — this helps improve filters and warnings for other users. (Google Help)
Verify Through Official Channels
If you see an alert about an account change in an email, don’t interact with the email itself — instead:
- Open Gmail in your browser.
- Go to your Google Account > Security page.
- Check recent activity and account notifications there.
Why This Matters
The combination of a new official Gmail address change feature and an active wave of phishing scams creates a realistic bait for attackers to steal credentials or take over accounts. Because Gmail accounts often serve as the gateway to other services (e.g., Google Drive, Photos, or financial and social accounts), a compromised Gmail login can have far‑reaching consequences. (PCWorld)
Staying informed and following basic cybersecurity hygiene — such as never entering credentials on unverified links and enabling 2FA — remains critical to keeping digital identities secure.
Here’s a case‑study and commentary‑style overview of the recent phishing risk tied to Gmail address change emails that Google has warned users about — including examples of how attackers are exploiting the situation, real‑world scam case studies, and expert commentary on why users should be cautious.
Case Study 1 — New Gmail Address Change Feature Sparks Fake Emails
Background:
Earlier in 2025–2026 Google rolled out — or began testing — a new feature that lets Gmail users change their primary @gmail.com address while keeping their email, contacts, Drive data and sign‑in intact. The original address becomes an alias, and both work in the same inbox. This change, which previously wasn’t possible with standard Gmail accounts, is being phased in gradually in different regions. (AOL)
The scam:
Scammers have started sending phishing emails that mimic official Gmail notifications about this new address‑change feature. The fraudulent messages claim that the user needs to confirm a change or update account details to avoid issues, and include links to what appear to be legitimate Google sign‑in pages. In reality, those links lead to fake credential‑harvesting sites designed to steal login info. (News Minimalist)
Why this is effective:
Because this is something new users haven’t seen before — legitimate Gmail address changes — attackers exploit that unfamiliarity. Phishing messages often look official and reference a real Google rollout happening now, making them harder to spot as scams. (News Minimalist)
Case Study 2 — Real‑World Scam Example Reported by Tech Outlets
How the scam masquerades:
In recent reports, attackers are crafting emails that:
- Claim to be Gmail system messages about changing your primary email address;
- Use visual elements or wording very similar to official Google messages; and
- Contain links to fake login screens that capture your username and password when submitted. (News Minimalist)
In these campaigns, Google never actually sends links in email to perform the address change — the correct way to change a Gmail address is through Google Account settings, not by clicking a link in an email. (News Minimalist)
This pattern echoes other phishing scams that look like official Gmail notifications but are not — such as fake security alerts enticing users to click to “fix” an account problem. Past phishing campaigns have mimicked “no‑[email protected]” or other credible sender addresses to make scams seem legitimate. (Tech.co)
Case Study 3 — Spam Filters & Phishing Tactics
Phishing scams often go beyond simple text — attackers may:
- Spoof Gmail notification formats so that emails look like they come from official Google domains. (Tech.co)
- Use legitimate platforms (e.g., seemingly authentic Google Sites pages) to host fake login forms. Phishing links that redirect through trusted domains make it easier for emails to bypass spam filters. (A similar tactic has been seen in other Gmail phishing scenarios — even if not specifically tied to address change yet.) (Kaspersky)
- Use urgency and familiar language like “Your Gmail address must be updated” to provoke clicks without careful scrutiny. (Forbes)
Expert & Security Commentary
Why attackers are targeting this change:
Cybersecurity experts warn that new and unfamiliar legitimate features make effective phishing bait because users don’t know what to expect — a key strategy in social engineering. Scammers craft alerts around something plausible (like a Gmail change) to trick users into reacting without thinking. (Forbes)
Fundamental security warnings from Google and analysts:
- Google stresses that it will never send unsolicited emails asking you to click a link to change your email address or request your password directly. Official account changes must be done through myaccount.google.com or the Gmail app settings. (Forbes)
- Security pros recommend that users treat urgent‑sounding emails with skepticism, avoid clicking links in unsolicited messages, and verify any request through official account pages. (Forbes)
- Classic phishing prevention advice remains critical: check actual sender domains, hover over links to inspect URLs before clicking, and use two‑factor authentication to protect accounts. (Forbes)
Why This Matters – Commentary
Phase‑In of Gmail Address Changes
The rollout of Gmail address change features, which lets users replace their primary @gmail.com address without losing access, is convenient — but it also creates a window of confusion that attackers can exploit. Users unfamiliar with normal change procedures might be more prone to engage with fake messages telling them to confirm or correct an update. (AOL)
Security Habits Are Essential
Scammers thrive on urgency and familiarity. Even when an email looks like it’s from Google, users should be cautious: Google’s own statements remind users that the company does not ask for passwords via email links, and real security actions are initiated within account settings. (Forbes)
Takeaway for Users
- Do not click links in unsolicited “address change” or “security update” emails.
- Navigate directly to Google Account settings to confirm any changes.
- Use two‑factor authentication (2FA) and strong passwords to mitigate account takeovers.
- Report suspicious messages using Gmail’s Report phishing feature.
Summary
What’s happening: Scammers are leveraging Gmail’s new address‑change feature to send fake emails that look like official change notifications, aiming to harvest login credentials. (News Minimalist)
How scams work: Phishing messages mimic Gmail notifications with urgent wording and fraudulent login links, sometimes hosted on trusted platforms — all designed to trick users into revealing account passwords. (Forbes)
Expert view: Security professionals emphasize confirming actions via official settings only, never entering credentials through email links, and using account protections like 2FA. (Forbes)