The new Gmail encrypted messaging feature opens a fraud door

Google has announced in early April that a simplified tool will allow business users to easily send Emails “end to end”– Effort to deal with the long -standing challenge to add additional security protection to email messages. Currently, the feature is in the beta version so that Enterprise users can try within their own organization. Then will expand to allow Google Workspace users to send encrypted emails from end to any end to any Gmail User. By the end of the year, the feature will allow WORKSPACE users to send more secure emails to any incoming mail. Email spam and digital fraud researchers, however, warn that although the feature will provide a new option for privacy and security by email, it will also inevitably give rise to new phishing attacks.

End -to -end encryption is a protection that supports the data transferred at any time, except for the sender and the recipient’s devices, and it is difficult to add to the historic e -mail protocol. The mechanisms for this are usually very complex and expensive to apply and make sense only for large organizations that try to meet specific requirements for compliance. In contrast, the encrypted email tool from the end to the end is easy to use and does not require significant IT overhead costs. The script for which digital fraud researchers are most concerned about when a workspace user sends an encrypted email from end to end to a non-gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to review the E2EE email in a limited version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest account on Google Workspace to review securely and respond to the email.”

The fear is that fraudsters will take advantage of this new and more secure communication mechanism by creating false copies of those invitations that contain malicious connections and will prompt the purpose of entering their login identification data for their email, one-off services or other accounts.

“Looking at Google’s implementation, we can see that it is introducing a new workflow for users who are not Gmail-recessioned by an email review link,” says Jerome Segura, senior Intelligence Intelligence at Malwarebytes. “Consumers may not be aware of exactly what a legal invitation looks like, which makes them more susceptible to clicking on a fake.”

Given the technical restrictions of email, Google created a way of the organization’s workspace to automatically manage keys – used to depress encrypted messages. The key management is what makes it so difficult to encrypt the end to the end, so offering a solution that is easy for customers is a deviation from what is currently. The fact that the organization’s workspace controls the keys instead of keeping them locally on sender and recipient devices means that the function not quite qualified as an end -to -end encryption In the most stringent sense of the term. But researchers say that for use cases such as business adherence, the tool can still be extremely useful. And the people who want encrypted communications from the end to the end they should just use An application built as a signal as a signalS

When Gmail users receive one of the new encrypted emails from a Google Workspace user, the vast massif of dynamic spam filters and detection mechanisms will be played to prevent spam, phishing and fraudulent imposses. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service accessible to anyone, but will also leave users who are not Google on their own devices.