Google’s Gmail Phishing Warnings and False Positives

Recently there have been messages from my policy-oriented mailing lists (at least one of my lists has been running for more than a quarter century) that Google’s Gmail (and its associated Inbox application) are tagging as likely phishing attempts — scary red warnings and all!

While I don’t yet understand the entirety of this situation, the circumstances behind one particular category of these seems clear, and I’ll admit that I chuckle a bit every time that I think about it now.

One might assume that with Google’s vast AI resources and presumably considerable reputation data relating to incoming mail characteristics, a sophisticated algorithm would be applied to pick out likely email phishing attempts.

In reality, at least in this case, it appears that Google is basically using the venerable old UNIX/Linux “grep” command or some equivalent, and in a rather slipshod way, too.

As you know, I discuss Google policy issues a great deal. Many Google users come to me in desperation for advice on Google-related problems. I write about Google technical matters frequently, as I explained in:

“The Google Account ‘Please Help Me!’ Flood” – https://lauren.vortex.com/2017/09/12/the-google-account-please-help-me-flood

One typical recent message of mine that’s been often getting tagged as a likely phish by Google was:

“Protecting Your Google Account from Personal Catastrophes” –
https://lauren.vortex.com/2017/09/07/protecting-your-google-account-from-personal-catastrophes

Google was apparently convinced that this message was likely a phish, and dramatically warned a subset of my list recipients of this determination.

But as you can see from the message itself, there’s nothing in there asking for users’ account credentials, nothing to suggest that it’s email attempting to fool the recipient in any way.

So why did Google think that this was likely a horrific phishing email?

Here’s why. First, my message had the audacity to mention “Google Account” or “Google Accounts” in the subject and/or body of the message. And secondly, one of my mailing lists is “google-issues” — so some (digest format) recipients received the email from “google-issues-request@vortex.com” (vortex.com is my main domain of very longstanding — it was one of the first 40 dot-com domains ever issued and I’ve been using it continually since then, more than 30 years). 

Note that the character string “google” is on the LEFT side of the @-sign. There’s nothing there trying to fool someone into thinking that the email came from “google.com” or from any other Google-related domain.

Apparently what we’re dealing with here is a simplistic (and frankly, rather haphazard in this respect at least) string-matching algorithm that could have come right out of the early 1970s!

I’ll add that I’ve never found a way to get Google to “whitelist” well-behaved senders against these kinds of errors, so some users see these false phishing warnings repeatedly. I’m certainly not going to change the names of my mailing lists or treat the term “Google Accounts” as somehow verboten!

Google of course wants Gmail to be as safe a user environment as possible, and in general they do a great job at this. But false positives for something as serious as phishing warnings is not a trivial matter — they can scare users into immediately deleting potentially useful or important messages unread, and sully the reputations of innocent senders.

If nothing else, Google needs to establish a formal procedure to deal with these kinds of errors so that demonstrably trustworthy senders can be appropriately whitelisted, rather than face these false positive warnings alarming their recipients repeatedly.

And a bit more sophistication in those phishing detection algorithms would be appreciated as well. 

In the meantime, I expect that some of you will again get Gmail phishing warnings — on THIS message. You know who you are. Sorry about that, Chief!

Oh, by the way, Google seems to have recently become convinced that I live either in Detroit or somewhere in Hawaii (I’ve never been to either). I’d probably prefer the latter over the former, but I’m still right here in L.A. as always. Unfortunately, there’s no obvious way these days to correct these kinds of Google location errors, even when your IP address clearly is correctly geolocating for everyone else — as mine is. If you’ve been having issues with Google-determined location being incorrect for you on desktop Google Search, on your phone, on Chromecasts, or with any other devices (e.g. Google Home), please let me know. Thanks.

–Lauren–