Is That Really Google? Inside the Subpoena Phishing Scam & How To Stay Safe

Key Takeaways

• Attackers can use subpoena alerts to exploit official-looking platforms.
• Sophisticated phishing attacks can use legal or generally trusted sources, such as Google, to create fake portals, bypass spam filters, and appear legitimate to users.
• Staying proactive with security is essential in safeguarding assets in Web3.
• Education and awareness of scam tactics are the best defense against subpoena phishing scams.

Nick Johnson, a senior developer who helped build Google App Engine, was targeted by “an extremely sophisticated phishing attack” that used Google services to deliver a fake subpoena alert.

Johnson quickly informed other users about the intricate details of the attack on X. What seemed suspicious to a developer could have seemed normal to the average user.

This article explains what a Google phishing scam is, specifically using what seemed to be a credible subpoena alert. It covers how scammers use different tactics, common red flags to spot real examples of phishing attacks, and tips to protect users. It also outlines best security practices for staying safe in Web3.

What Is a Subpoena Phishing Scam?

A fake subpoena scam is a phishing attack where scammers impersonate legal authorities, such as courts, law enforcement, or even companies, to trick individuals into revealing personal information, making payments, or taking harmful actions. These scams can also occur when scammers pose as trusted companies or entities to deceive users into disclosing sensitive details.

A sophisticated phishing campaign is exploiting Google’s own tools to deceive users into surrendering their credentials. Attackers are sending deceptive emails that appear to come from “[email protected],” warning recipients of a fake subpoena related to law enforcement accessing their Google Accounts. 

The scam uses Google’s Sites platform to create convincing phishing emails and spoofed web pages. Cleverly bypassing DKIM (DomainKeys Identified Mail) security checks, the attackers craft their messages to appear legitimate by embedding phishing content in the app name field of a Google tool, which then autofills into legitimate-looking emails sent by Google. ​

In subpoena scams, victims receive an email or message that appears to be an official subpoena or legal notice. The message often threatens severe consequences, like fines, legal action, or arrest, if the recipient fails to comply. 

These emails typically include links to fraudulent websites or attachments that seem urgent. The fake sites may prompt victims to enter sensitive information, such as login credentials, social security numbers, or financial details.

Why Would Google Notify You About a Subpoena?

Google itself doesn’t issue subpoenas. However, Google can receive a subpoena and be compelled to provide user data. 

If your Google account data is requested by law enforcement or a court via subpoena, court order, or warrant, Google may be legally required to provide certain information. In some cases, they are also required to notify you—especially if:

• The subpoena does not come with a gag order, and
• Notifying you does not jeopardize an investigation.
  

This notification serves to inform you that your data has been requested, and sometimes gives you a chance to challenge it in court before the data is handed over.

What Happened in the Google Subpoena Phishing Scam?

Johnson explained that he first noted a valid, signed email that “really was sent from [email protected]. It passes the DKIM (DomainKeys Identified Mail) signature check, and Gmail displays it without any warnings — it even puts it in the same conversation as other, legitimate security alerts.”

The subpoena phishing email used Google’s infrastructure to appear authentic, allowing it to bypass spam filters and land directly alongside real security notifications.

Johnson revealed that the subpoena attack directed him to a fraudulent portal hosted on a trusted Google subdomain. The attackers used Google Sites, an older platform that allows user-generated pages under the google.com domain.

By exploiting Google Sites, the attackers made the fake portal seem credible, leaving users with little reason to doubt its legitimacy.

Clicking on links such as “Upload additional documents” or “View case” redirected users to a page that closely resembled Google’s real login screen. Johnson explained that the main giveaway was the domain itself:

“The only hint it’s a phish is that it’s hosted on http://sites.google.com instead of http://accounts.google.com .”

This subtle domain difference resembled typosquatting, a common tactic where attackers rely on slight variations in legitimate URLs to deceive users. It was the only visible clue that the login page was a trap designed to steal account credentials.

10 Red Flags to Spot a Fake Google Subpoena 

Here are 10 warning signs to help you identify and avoid this scam:

1. Slight spelling errors: Scammers replace letters with numbers or similar-looking characters, such as “g00gle.eth” instead of “google.eth.”
2. Typos and grammatical errors: Poor spelling or grammar on websites, messages, or emails signals unprofessional or fake communication.
3. Weird characters: Some fake Ethereum Name Service (ENS) names use hidden symbols or non-English letters that are hard to notice.
4. Inconsistencies in design and branding: Look for pixelated logos, wrong color schemes, outdated layouts, or mismatched branding compared to the real service.
5. Urgent wallet prompts: Fake websites often create urgency to rush users into connecting wallets or approving transactions without thinking.
6. Random connection requests: Unexpected prompts to connect a wallet should raise immediate suspicion.
7. No HTTPS: A missing or invalid HTTPS connection shows the site is not secure and should not be trusted.
8. No official verification: Legitimate domains usually link to verified websites or social media accounts, while fake domains often lack trusted references.
9. Demands for your seed phrase or private key: No legitimate service will ever ask for a private key or seed phrase. Any request for this information is a major red flag.
10. Unusual transaction amounts or gas fees: Watch out if a site or contract asks for odd or unusually high gas fees, which can signal a malicious attempt to drain a wallet.

Spotting even one of these red flags should prompt users to stop interacting immediately and verify the source through official channels.

What a Real Google Subpoena Notice Looks Like

A legitimate subpoena notice from Google is sent from an official Google email address, typically ending in @google.com, such as [email protected]. The language used is formal and precise, often referencing the specific legal process involved—such as a subpoena, court order, or search warrant. 

These notices will clearly identify the law enforcement agency or court requesting the information, often including a case number, jurisdiction (like the Northern District of California), and a brief summary of the legal basis for the request.

Google’s legal notice will also inform the user of any rights they may have to challenge the data request, including a specific response deadline. If no gag order is in place, Google may allow time for legal objections before disclosing any information. 

The email typically contains contact information for Google’s Legal Support team, and may include links to official support resources hosted on Google-owned domains like support.google.com.

Crucially, a real subpoena notice will never urge users to click suspicious links, request access to cryptocurrency wallets, ask for passwords, or demand immediate action under pressure. Instead, it provides clear next steps and encourages users to seek legal counsel if needed.

Real Examples of Disguised Phishing Attacks in Crypto

The following are some recent examples of how scammers have exploited crypto users and deceived them into losing funds:

Email Phishing

Scammers targeted domain owners with fake “expiration” emails and directed them to counterfeit renewal sites. Victims unknowingly lost funds by providing sensitive information on these fraudulent sites. Attackers took advantage of the high value placed on Ethereum Name Service (ENS) domains by impersonating official notifications of domain expirations.

Uniswap Founder Impersonation

Scammers registered domains mimicking legitimate wallet addresses. Their goal was to trick users into sending funds to these fraudulent addresses. Hayden Adams, the founder of Uniswap, raised awareness about the issue and called for better filtering mechanisms in wallet interfaces to help prevent such scams.

How To Protect Yourself From Phishing Attacks in Crypto

To protect your crypto assets from phishing scams, including fake subpoena alerts, you should consider these essential security practices:

• Active skepticism: Scammers often create urgency to rush decisions. Users should always question prompts like “your domain is expiring now” or “claim your airdrop immediately!”
• Using browser extensions for security: Trusted extensions that detect phishing sites and malicious smart contracts are always a good option to consider.
• Updating software: Users should regularly update their operating system, browser, and wallet software to protect against known vulnerabilities.
• Social media caution: Scammers often impersonate legitimate projects or individuals. It is crucial to always verify through official channels.
• Checking the sender’s email address: Phishing emails may come from a look-alike address slightly different from the legitimate one. It is advisable always to double-check the sender’s domain.
• Caution with attachments: Users should never open attachments from unknown or suspicious sources, especially if they claim to be legal documents.
• Verifying legal messages through official channels: If a user receives a subpoena-like email, they should contact the court or organization using official contact details to confirm its legitimacy.
• Look for poor formatting: Many phishing emails have inconsistent fonts, logos, or odd formatting that legitimate organizations would avoid.
• Avoid clicking on links: Users should hover over links to verify their destination. It is essential to avoid clicking links in unsolicited emails or messages.
• Educate yourself: Scammers often make spelling, grammar, or phrasing errors that legitimate companies would avoid. Users should be cautious if they spot unprofessional communication, which can indicate a fraudulent attempt. An X user demonstrated this by sharing the supposedly Google message about the fake subpoena containing such errors.

Staying Safe in Web3: Best Security Practices for Crypto Users

When navigating Web3, users must follow these proactive security practices to protect assets and avoid scams:

• Protecting private keys: Users must never share private keys or seed phrases. Using hardware wallets to store long-term assets securely is a good practice.
• Being cautious with dApps: Users should only interact with decentralized applications (dApps) that have been thoroughly reviewed and trusted by the community. Avoiding unverified platforms helps reduce risks.
• Using a hardware wallet: A hardware wallet adds extra security for significant holdings by keeping private keys offline and requiring physical transaction confirmation.
• Using multi-signature wallets: Users should use multi-sig wallets, which require multiple approvals before funds can be moved, providing additional security for managing assets.
• Revoking unnecessary wallet permissions: Users may grant permissions to various dApps over time. Periodically reviewing and revoking unnecessary permissions limits exposure to compromised dApps.
• Isolating Web3 activities: Users should consider using a dedicated browser profile or a separate device exclusively for crypto interactions for additional security. This approach reduces risks from malware and phishing attempts.
• Verifying smart contract addresses: To ensure legitimacy, users must verify the smart contract address through official documentation, block explorers, or community discussions before interacting.
• Understanding transaction simulation tools: Some wallets provide transaction simulation features. Users should use these tools to confirm the tokens sent or received before signing any transaction.
• Being wary of giveaways and contests: Fake giveaways are common in Web3. If an offer seems too good to be true, it likely is. Users should always verify the authenticity of such events through official channels.
• Securing communication channels: Scammers often impersonate legitimate entities on platforms like Telegram, Discord, or X. Verifying the authenticity of individuals before sharing sensitive information is essential. 
• Strong password management: Users must use unique passwords for all crypto-related accounts and enable two-factor authentication (2FA) wherever possible. Using a reputable password manager helps keep credentials secure.
• Caution of legal threats: If a user receives an unsolicited legal notice, like a subpoena, verifying its authenticity through official channels is essential. Scammers often use fake legal messages to steal personal or financial information.

The main recommendation is to stay informed and educated to avoid scams, including fake subpoena alerts. Users should follow reputable news sources and security blogs to stay ahead of the latest threats.

Conclusion

In summary, some phishing scams, like subpoena phishing attacks, exploit users’ trust to steal funds.

Users must stay vigilant by verifying sources, email and wallet addresses, revoking unnecessary permissions, and using secure practices like hardware and multi-sig wallets. 

Keeping software updated and staying informed about emerging threats will help safeguard against these scams in Web3. Keep on educating yourself about tech and the crypto space. 

FAQs