Google announced at the beginning of April that it is launching a streamlined tool that will allow business users to easily send “end-to-end encrypted” emails—an effort to address the longstanding challenge of adding additional security protections to email messages. The feature is currently in beta for enterprise users to try out within their own organization. It will then expand to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, the feature will allow Workspace users to send the more secure emails to any inbox. Email spam and digital fraud researchers warn, though, that while the feature will provide a new option for email privacy and security, it will also inevitably spawn new phishing attacks.
End-to-end encryption is a protection that keeps data scrambled at all times except on the sender and recipient’s devices, and it is difficult to add to the historic email protocol. Mechanisms to do it are typically very complicated and costly to implement and only make sense for large organizations trying to meet specific compliance requirements. In contrast, Google’s end-to-end encrypted email tool is simple to use and doesn’t require significant IT overhead. The scenario that digital fraud researchers are most concerned about, though, relates to the case where a Workspace user sends an end-to-end encrypted email to a non-Gmail user.
“When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest Google Workspace account to securely view and reply to the email.”
The fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.
“Looking at Google’s implementation, we can see it introduces a new workflow for non-Gmail users—receiving a link to view an email,” says Jérôme Segura, senior director of threat intelligence at Malwarebytes. “Users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”
Given email’s technical limitations, Google created a way for an organization’s Workspace to automatically manage keys—used to descramble encrypted messages. Key management is what makes end-to-end encrypting email so difficult, so offering a solution that is easy for customers is a departure from what’s currently available. The fact that the organization’s Workspace controls the keys rather than storing them locally on a sender and recipient’s devices does mean that the feature doesn’t quite qualify as end-to-end encryption in the strictest sense of the term. But researchers say that for use cases like business compliance, the tool could still be extremely useful. And individuals who want end-to-end encrypted communications should just use a purpose-built app like Signal.
When Gmail users receive one of the new encrypted emails from a Google Workspace user, Google’s extensive array of dynamic spam filters and fraud detection mechanisms will be in play to protect against spam, phishing, and rogue imposters broadly. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service available to anyone, but also will leave non-Google users to their own devices.
Scammers will prey on anything topical to generate new scams, and this threat certainly isn’t unique to Google’s new encrypted email feature. The invitations to view end-to-end encrypted emails will come with a warning that says, “Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”
“While it’s absolutely true that scammers are always looking for new ways to abuse any product, we built this particular technology with this risk in mind,” Google spokesperson Ross Richendrfer said in a statement. “The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file. All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well.”
Generations of Google Drive and Google Docs scams show, though, that it is particularly difficult to combat imposter invitations outside of Google’s ecosystem. But when it comes to the new end-to-end encrypted email feature, “it was either adding a warning or not allowing this feature for non-Gmail users,” Malwarebytes’s Segura says.
In fact, the new tool may offer particularly good fodder for scammers, given that Google is such a trusted organization, and targets may have heard about how end-to-end encryption is a special, gold-standard security feature.
“It’s almost as if someone at Google knew this was a bad idea and asked for a warning to be added,” Malwarebytes’ Segura says. “It’s quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”
