Google Subpoena Scam Exploits DKIM for Phishing Attacks

The google subpoena scam is a sophisticated phishing attack where fraudsters impersonate Google to create a false sense of urgency and fear. Typically, victims receive an email that appears to come from no-reply@google.com, claiming to inform them of a subpoena, a formal legal request. The email often has a subject line like “Security Alert” or “Notice of Subpoena,” making it seem urgent and legitimate. These scammers prey on the natural concern about legal matters and data privacy, hoping to trigger a reaction.

Inside the email, the scammers falsely claim that Google has been served with a subpoena requiring the company to turn over the victim's account data, such as emails, documents, or search history. The email then urges the victim to click on a link to view their “case materials.” This link typically leads to a fraudulent website, often hosted on Google Sites, which is designed to look like a genuine Google support page. This added layer of legitimacy can easily trick users into believing the request is real.

The most concerning part of this scam is that attackers are skilled at spoofing Google’s email addresses and mimicking the company’s official content. By doing so, they can bypass common security checks, such as DomainKeys Identified Mail (DKIM), which normally verifies the authenticity of an email. With this approach, the scam appears convincingly legitimate, making it easy for unsuspecting users to act impulsively — potentially exposing sensitive data or inadvertently installing malware.

Software firm EasyDMARC explained that attackers exploited legitimate Google services to bypass traditional spam filters. They used “OAuth” applications combined with DKIM workarounds to create emails that could fool even careful users. A DKIM replay attack exploits the way email authentication works, specifically using DomainKeys Identified Mail, which adds a digital signature to an email to verify its authenticity.

The attack involves several steps. First, the attacker intercepts a legitimate email from Google that has a valid DKIM signature, which proves it came from Google. The attacker then saves this email, keeping the DKIM signature intact, and replays it. Since DKIM checks only the email headers and body (if unchanged), the attacker can forward the exact email with its signature intact without modification. The attacker then sends this saved email from a different account, making it look like it’s from the original sender (Google). The email goes through multiple servers, each adding their own DKIM signature, but the original Google DKIM signature remains untouched and valid. The email reaches the victim’s inbox, appearing legitimate. Despite being relayed through several servers, the email passes SPF, DKIM, and DMARC checks, which makes it look like a valid Google email.

Ask Aime: "Understanding the Google Subpoena Scam"

The result is that the victim is tricked into thinking it’s a legitimate message, potentially leading to harmful actions like clicking malicious links or providing sensitive information. This type of attack plays on the trust people place in email authentication methods and shows how attackers can exploit them.

Fake Google emails and DKIM replay attacks trick users by taking them to a fake Google support page, often hosted on Google Sites, adding another layer of false credibility. The website will urge the user to log in to view their “case materials.” If the user proceeds, they are asked to enter their Google username and password. Once entered, the attackers can gain full access to the account. Scammers use fear-based tactics — mentioning lawsuits, law enforcement involvement, or threats of account suspension. The urgency they create is designed to make the user bypass their usual caution.

Even though the Google subpoena scam is highly sophisticated, there are still clear red flags to look for. By recognizing these signs, users can protect themselves from falling victim to phishing attacks. Fake or spoofed sender addresses, urgent language and threats, requests for sensitive information, poor grammar or formatting, suspicious links, and a lack of proper legal process are all indicators of a scam.

If a user receives an email that claims to be from Google about a legal subpoena or any other suspicious notification, it’s important to remain calm and avoid reacting hastily. Phishing attacks, like the Google subpoena scam, often rely on creating a sense of urgency to trick users into making mistakes. The user should not click any links, avoid interacting with the email, and verify the request by visiting Google’s support site directly. The user should also report the scam to the appropriate authorities and update their security settings by changing their Google account password and enabling 2FA or passkeys for an extra layer of protection. If financial details were shared, the user should contact their bank immediately to monitor their account for suspicious activity.

When it comes to legal requests such as subpoenas, court orders, or search warrants, Google takes privacy and security seriously. The company has a strict procedure in place to ensure that requests for user data are valid, lawful, and processed through proper channels. Google checks the request carefully, may notify the user unless they’re not allowed, and sends official notifications only. If there’s a real legal issue, the user will see a message in their Google Account dashboard or through an official Google email from a verified address, not a suspicious or random one.

To avoid falling victim to Google subpoena scams, users should stay calm, avoid clicking any links or attachments, and verify any legal claims directly through Google’s official support channels. Phishing scams are constantly evolving, but users can significantly reduce their risk by following some best practices, including staying skeptical, inspecting emails carefully, hovering before clicking, enabling 2FA, using advanced spam filters, conducting regular security audits, staying updated on new threats, and educating themselves and others about scams.