The FBI's Guidance on Gmail Attacks Proves Ineffective and Unbeneficial for Users
Update, Dec. 20, 2024: This article, originally published Dec. 19 now updated with details of how both the National Security Agency and the Federal Bureau of Investigation are providing outdated security advice.
Cautioning against the Federal Bureau of Investigation's flawed, if not misleading, recommendations for individuals potential victims of email phishing scams is not what I envisioned doing today yet here we are. Google has already alerted Gmail users to a second wave of scam assaults, emphasizing three particularly popular attack strategies, and the prevention advice offered is, generally speaking, well-founded. However, the FBI's amended warning about persistent email phishing dangers against Gmail, Outlook, and Apple Mail users, as well as the guidance given in reply, is, in the eyes of several security experts, flawed. Here's what you should know.
The Faulty FBI Phishing Mitigation Suggestions
Recently, the FBI reiterated its alarm about recurring phishing threats aimed at Gmail, Outlook, and Apple Mail users. The plan of action presented for prevention was, for the most part, quite sound. Examine website addresses before navigating there, embrace skepticism concerning tempting deals, and utilize secure payment methods. While the use of hyperlink-hovering assaults has made URL verification a tad more complicating, the advice remains valid, despite the complexities.
However, less persuasive is a single piece of advice still being emphasized by the FBI as somehow still applicable in 2025: critically examine the spelling employed in any correspondence. While this is pertinent when considering URLs that utilize alternative spellings and character sets to fool the eye, when it comes to the actual email content, this particular advice is now outdated. It is possible that the miscommunication is at the FBI’s own expense, and it honestly means only scrutinizing spelling errors in links. I, however, suspect that this is not how it is being interpreted by the general public, especially by those most at risk: non-technical individuals.
What the FBI Should Have Said
The truth is, I am a proponent of FBI's public security alerts and warnings as they are generally on point when it comes to notifying the public of security risks and how to prevent them. Take, for instance, the recent story about the rising use of AI-generated phishing attacks against smartphone users and the suggestion to hang up and establish a secret code. Even the FBI's public service announcement on the use of AI confirmed that "criminals utilize generative AI tools to help with language translations to minimize grammatical or spelling errors for foreign cyberactors targeting U.S. victims."
Referring to reports echoing the escalation of credentials phishing email attacks, Callie Guenther, senior manager of cyber threat research at Critical Start, noted that the rise "aligns with the expanded use of generative AI, which enables attackers to create natural-language phishing content at scale, localize campaigns across languages, and automate deep personalization."
What the FBI should be emphasizing is the very thing they said in that other PSA, that generative AI is now sophisticated enough to foster spelling mistake-free and grammatically perfect phishing emails in any language, so do not rely on the advice to scrutinize spelling in your mitigation efforts.
The FBI Isn't the Only One Providing Outdated Advice
It is not just the FBI that needs to update its suspect cybersecurity recommendations; the National Security Agency could do with a revamp as well. What recommendations, you ask? Well, let us discuss the recommendation to switch your smartphone on and off once weekly to neutralize or lessen spear-phishing campaigns aimed at installing spyware, malware, or zero-click exploits, for instance.
As I have previously reported, this is an idea featured in a document first published in 2020. While there is some grain of truth in it - restarting your smartphone can purge older malware, therefore serving no harm - there is a potential drawback. If individuals believe that switching off their phones is a definitive security solution, they may direct their focus elsewhere, potentially leaving themselves vulnerable to attack.
The context in which this advice is presented is crucial along with the fact that the recommendation to turn your device off and on weekly is merely an appendix to a more extensive infographic. Turning your device off and on weekly can lower the risk of spear-phishing attacks by installing malware such as spyware and zero-click exploits. However, it is important to note that by 2024, malware has developed enough to outlive a reboot, increasing the chances that malicious software or an unwanted connection to a web application will simply reinitiate the infection process. And it's not just me who thinks so. According to Jake Moore, global cybersecurity evangelist with ESET, "as long as individuals routinely update their devices when new operating system versions become available, devices will remain protected. Turning off your phone on a regular basis is beneficial for battery reasons, but not so much for security."
I have reached out to the FBI for comment.
- Despite the FBI's recent warning about email phishing dangers, several security experts view their guidance as outdated, particularly the advice to critically examine the spelling in any correspondence.
- In response to the second wave of Gmail scam assaults, Google has provided solid prevention advice, but the FBI's updated warning about email phishing targets, including Gmail, Outlook, and Apple Mail, is questionable.
- One aspect of the FBI's phishing mitigation suggestions that has raised concerns is the continued emphasis on scrutinizing spelling errors, which security experts argue is outdated given the sophistication of modern phishing attacks.
- The FBI's urge to critically examine the spelling in any correspondence might be misinterpreted by non-technical individuals, leading them to overlook more serious threats due to their focus on checking spelling errors.
- It is not only the FBI that needs to update its outdated cybersecurity recommendations; the National Security Agency could also benefit from revising some of its advice, such as the suggestion to turn off smartphones weekly to eliminate spear-phishing campaigns.
