Security experts in Poland warn of another dangerous scam targeting email users, including Gmail. At first glance, it may seem like an ordinary message, but its goal is to lure login information and get into the victim’s inbox.
The group UNC1151, also known as Ghostwriter, is said to be behind the attacks. It has been using phishing for years, i.e. fake e-mails or sites that imitate trustworthy services. If a person enters a password, attackers gain access to their account, inform the experts.
The compromised mailbox can then reveal contacts, private messages, documents, and other linked accounts. That is why it is not just a technical problem, but a risk that can affect every internet user.
Attackers are already targeting Gmail
At first, the attackers mainly focused on Polish e-mail services, for example Onet, Wirtualna Polska or Interia. However, since March 2026, they have started attacking Gmail users more often. They send fraudulent e-mails regularly and in large numbers, especially during working days. The goal is simple, to get a person to enter their credentials on a fake site.
The danger is that a password alone is not enough for attackers. They can also try to bypass the second verification, i.e. a code from an SMS or a confirmation in the application. That’s why security experts keep finding new fake sites. They look like the real Gmail, but are actually used to steal login information.
Fraudulent e-mails may not only come to people who are publicly known or work in important positions. Attackers often try different addresses and sometimes don’t even know exactly who the message is going to. Therefore, it can happen that even a regular user receives a fake e-mail. It’s enough that he has a similar name to someone the attackers originally targeted, or his address got into the contacts of the attacked account.
Fake site steals login information
The scam starts with a fake email that looks like a Gmail message. In it, the attackers claim that suspicious activity, an unknown login or a violation of the rules was detected on the account. The user is then pressured to verify the problem quickly, otherwise their account will be blocked or deleted.
The message contains a link to a fake page that mimics a Gmail login. When a person enters an e-mail and password there, the data reaches the attackers. It is also dangerous that the site may ask for a second verification code, for example from an SMS or from the Google Authenticator application.
Scammers often send multiple messages in succession to put pressure on the victim. Sometimes they only change the text and shorten the time until a person is supposed to react. If they can’t get into the account right away, they can try to send another fake email.
Security experts warn that similar attacks can continue to change and improve. That’s why it’s important not to click on suspicious links, check the page address and, if in doubt, log into Gmail only through the official site or application. Suspicious sites should be reported to the security team so that they can be blocked more quickly.
Below are examples of email addresses and message subjects that the attackers used in the scam.
| Sender’s name | Email address ending with @gmail.com | Name of the message |
|---|---|---|
| Secure mail | mailnotify24 | Critical warning |
| Notification of sending by e-mail | mailersupport24 | An attempt to log in from a new device was detected. |
| Ensuring support | support.security.inf | Safety notice |
| Account monitoring | account monitoring | Suspicious activity |
| Post office team | validationgrupapocztowa | We may block your account |
| Post office team | naruzen.detekcja | We may block your account |
| Ensuring support | serwis. pomoc. techniczna | Important access verification |
