In a troubling development for online security, cybercriminals are increasingly abusing trusted services to spread phishing links — and the latest weapon in their arsenal is Google Tasks. According to recent analysis by security experts at Kaspersky, attackers are exploiting notifications from Google’s task management tool to bypass traditional security and deceive users into giving up sensitive login credentials.

How the Scam Works

The phishing campaign begins with a seemingly legitimate notification that appears to come directly from Google — specifically an “@google.com” address. The message tells the recipient they have a new task to complete. Because the notification looks like a standard Google Tasks alert, recipients are more likely to trust it at first glance.

The task message usually includes:

• A sense of urgency by assigning a tight deadline
• A high-priority label
• A link that the user is prompted to follow immediately

When the user clicks on that link, they’re taken to a page that asks them to enter their corporate credentials to “verify their employee status”. Of course, the attackers’ real intention is to harvest those credentials for unauthorized access.

This tactic is particularly effective because the notification comes from a trusted source and appears in the user’s inbox like any other Google Tasks alert. Standard email filters and spam protections are often bypassed because the message leverages Google’s own services and reputation to slip through security defenses.

Why This Is a Security Concern

Phishing emails and scams are nothing new, but attackers are constantly evolving their tactics to make their messages more believable. Rather than forging email headers or spoofed domains, this campaign uses legitimate infrastructure to deliver the link, making it harder for automated protections to flag it.

Similar abuse of trusted platforms isn’t unique — recent research has shown that attackers have exploited services like Google Classroom, Google Forms, and others to lure users into fake logins.

How Organizations Can Stay Safe

Kaspersky’s experts stress that phishing isn’t just about recognizing a bad email — it’s about fostering a strong cybersecurity culture. Some practical advice includes:

• Educate employees about this specific kind of attack and others like it. Sharing materials on the common signs of phishing can make users less likely to fall for tricks.
• Provide clear documentation listing only the approved tools and services your organization uses so that employees know what legitimate communications should look like.
• Remind users that corporate credentials should only be entered on known internal systems, not on external pages linked from unexpected messages.
• Employ robust mail filtering and dedicated security gateways to reduce how many potentially dangerous messages reach inboxes.
• Ensure all devices and endpoints are protected with up-to-date security software to block access to known phishing sites.

Final Thoughts

Phishing remains one of the most common — and effective — attack vectors for hackers, especially when they leverage trusted names like Google to disguise their activity. As attackers get more sophisticated, both individuals and organizations must stay vigilant, constantly updating their training, technical defenses, and awareness of emerging social engineering tactics. Recognizing that “trusted” doesn’t always mean “safe” is a key step in protecting sensitive data and credentials.