Hackers are exploiting Gmail’s new address-change feature to launch convincing phishing attacks, raising fresh concerns for billions of users worldwide.
 |
| A recently launched Gmail feature has become a new tool for cybercriminals, highlighting the risks that often accompany platform updates. Image: CH |
Tech Desk — February 2, 2026:
Google’s latest Gmail feature was designed to offer flexibility, allowing users to add a new email address while retaining their existing inbox. But cybersecurity experts now warn that the update has also opened a new avenue for fraud, as hackers exploit the change to craft increasingly convincing phishing campaigns targeting Gmail’s vast user base.
Earlier this month, Google introduced the feature to help users transition away from outdated or unused email addresses without losing access to their old accounts. While the functionality itself does not affect stored emails, files, or linked services, criminals have quickly seized on the update as a believable pretext for deception.
According to cybersecurity analysts, scammers are sending emails that reference “Gmail address changes” or “security verification” requests. These messages often appear to originate from addresses that closely resemble official Google domains, such as no-reply@accounts.google.com, making them difficult for users to distinguish from legitimate notifications. The emails typically urge recipients to confirm a new address or verify account activity by clicking a link.
The deception becomes more sophisticated once users follow those links. Many lead to fake websites hosted on sites.google.com, a legitimate Google-owned domain that lends an extra layer of credibility. These pages are carefully designed to mimic Google’s login and security interfaces, increasing the likelihood that users will enter their usernames and passwords without suspicion.
If attackers obtain those credentials, the consequences can extend far beyond email. A compromised Gmail account can provide access to Google Drive, Photos, Calendar, and any third-party services linked through Google sign-in. In effect, a single successful phishing attempt can unlock large portions of a user’s digital life.
Google has emphasized that the new feature itself does not endanger users’ existing data. Emails, files, photos, subscriptions, and purchase histories remain intact even when an address is updated. Technology analysts note that the feature is genuinely useful, particularly for users who have changed jobs, locations, or personal circumstances and no longer want to rely on an old address. With roughly two billion active Gmail users, even incremental improvements can have wide-reaching benefits.
However, experts argue that scale also magnifies risk. Any change affecting such a large user base becomes an attractive target for cybercriminals, who rely on familiarity and urgency to manipulate behavior. Phishing emails linked to account changes are especially effective because they exploit users’ fear of losing access or having their accounts suspended.
Cybersecurity specialists advise users to treat any unsolicited security email with caution. Common warning signs include generic greetings, vague threats of account deletion, and requests for passwords or personal information via links. Google itself recommends bypassing email links altogether and instead logging directly into a Google account through a web browser to check for security alerts. Legitimate warnings typically include specific details, such as the device, location, and time of a login attempt.
The concern is amplified by broader trends in data exposure. Recent findings by cybersecurity researcher Jeremiah Fowler uncovered a database containing 149 million compromised accounts, nearly a third of which were linked to Gmail. The presence of data from multiple platforms underscores how valuable email credentials are as gateways to wider online identities.
Taken together, the abuse of Gmail’s new feature illustrates a recurring challenge in cybersecurity: innovation often creates new opportunities not only for users, but also for attackers. As platforms evolve, the burden increasingly falls on both companies and users to recognize how small changes can reshape the threat landscape—and how vigilance remains essential, even when updates are designed with convenience in mind.