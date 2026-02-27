Watch out - that Google Tasks email could be a scam, and land you in hot water at work
Hackers uncover a new legitimate tool to abuse
- Hackers are abusing Google Tasks to deliver phishing emails
- Fake tasks trigger legitimate Google notifications, bypassing spam filters
- Victims see trusted Google domain, but links lead to credential-stealing pages disguised as login screens
Hackers are exploiting Google’s to-do service to launch phishing attacks and bypass spam email filters.
Google Tasks is a simple task management app that comes as part of its Workspace suite, helping users organize and track to-do lists, and integrate them with Gmail, Google Calendar, and other Google services.
But a new Kaspersky report has warned, cybercriminals have started creating fake tasks and assigning them to people by adding their email addresses. When that happens, Google automatically sends out a notification to the email added in the task, bypassing all email protections and landing directly in the victim’s inbox.
Countering the threat
When the victim opens the email, they will see it came from a legitimate Google domain, and that it follows the usual company email format. In the task’s description, however, there is a link that leads to a malicious landing page.
The landing page is designed to look like the regular Google login page, and people who click it - especially those who are in a hurry - most likely won’t see it as anything unusual.
Those who try to log in this way will relay their credentials to the attackers, who can then take over their entire Google account and all the data found there.
This is not the first and definitely won’t be the last legitimate service being abused in phishing campaigns. Cybercriminals used to do the same thing with Calendar. By setting up fake meetings and sending notifications to people, they were able to abuse legitimate domains to bypass filters and land the emails into inboxes.
To counter this, and similar threats, Kaspersky recommends users be wary of all incoming email messages, regardless of the sender’s address, carefully inspect all URLs before clicking, and warns against calling phone numbers in these emails.
“If you need to call support of a certain service, it is best to find the phone number on the official webpage of this service,” the researchers stressed.
