Google Confirms 6 in 10 Gmail Users Targeted by Email Scams

June 9, 2025
|In Cybersecurity News
|By Diego MacCastrillon

Why This Matters

Google’s own survey shows that 61 % of people say they’ve been hit with email-based scams in the past year, and the majority of those attacks aimed straight at Gmail inboxes. At the same time, Google warns that “most users still rely on outdated log-ins like passwords and SMS 2FA,” leaving billions of accounts one phishing link away from takeover.

You might be interested in: Chrome Add-Ons Leak Private Data in Their Code

What Google Is Changing

  • Passkeys become the default (and eventually the only) way to sign in. Google is moving every personal Gmail account toward biometric / device-PIN passkeys and QR log-ins, which are resistant to phishing and SIM-swap attacks.

  • SMS codes are being retired. Text-message 2FA—long a weak spot—is scheduled for phase-out “over the next few months.”

  • Non-compliant accounts will face friction or temporary locks. If you ignore the upgrade prompts, expect extra recovery hoops—or a total lock-out—once the password era officially ends.

Who Is Most at Risk

  • Older generations: Over 60 % of Gen X and Baby Boomers still cling to passwords as their primary sign-in method, making them prime phishing targets.

  • Multi-device users: If you sign in on multiple phones or PCs, one un-updated device can undermine every other.

  • High-value Gmail addresses: Anything tied to banking, crypto, or recovery emails is already on criminals’ shopping lists.

Timeline—When the Switch Flips

Phase What Happens Rough Window*
1. Gentle nudges “Try a passkey” banners in Gmail & Google Account settings Now → July 2025
2. Forced enrollment Mandatory passkey setup at next sign-in; SMS 2FA option disappears Aug → Sept 2025
3. Lock-out safeguards Accounts without passkeys enter recovery flow before access Oct 2025 onward

*Google has not published exact dates, but internal guidance to Workspace admins says the full cut-over will complete “by Q4 2025.”

How to Shield Your Inbox Today

  1. Create a passkey on every device: Settings → SecurityPasskeysCreate Passkey.

  2. Remove SMS codes: Swap in Google Authenticator or a hardware security key as backup.

  3. Refresh your recovery info: Make sure secondary email and phone numbers are current—these are your lifeline if the lock-out hits.

  4. Audit third-party app access: Revoke anything you don’t recognise; legacy IMAP log-ins can bypass modern protections.

  5. Spread the word: Less tech-savvy family members—especially parents and grandparents—are statistically the most exposed.

Bottom Line

Google isn’t merely recommending stronger log-ins anymore—it’s scheduling the funeral for passwords and text codes. With scammers already targeting six out of every ten Gmail users, failing to upgrade isn’t just inconvenient; it’s reckless. Set up your passkeys now, or be prepared to fight for your inbox later.

Breaches