Google's New Encrypted Email Feature Brings Security and Phishing Risks

Google recently announced a new end-to-end encrypted email feature designed for business users within Google Workspace. This feature aims to enhance email privacy by encrypting messages so that only the sender and recipient can access the content, addressing a longstanding challenge in email security.

Currently in beta for enterprise users, the feature will soon allow Workspace users to send encrypted emails to any Gmail user and, by the end of the year, to any email inbox. This expansion makes end-to-end encryption more accessible without the usual complexity or IT overhead.

However, security researchers have raised concerns about phishing risks, particularly when encrypted emails are sent to non-Gmail users. In such cases, recipients receive an invitation link to view the encrypted message through a restricted Google Workspace interface. Scammers could exploit this by sending fake invitations with malicious links to steal login credentials.

This new workflow is unfamiliar to many users, increasing the risk of falling for phishing scams. Malwarebytes’ senior director of threat intelligence, Jérôme Segura, highlights that the novelty of these invitations makes users vulnerable to imposters mimicking legitimate messages.

Google’s approach involves the Workspace organization managing encryption keys rather than storing them locally on devices. While this deviates from strict end-to-end encryption definitions, it balances usability and security for business compliance needs. For individuals seeking robust encryption, dedicated apps like Signal remain recommended.

Within the Gmail ecosystem, Google’s spam filters and fraud detection systems will help protect users from phishing attempts. However, non-Gmail recipients lack these protections, leaving them more exposed to potential scams.

To mitigate risks, Google includes warnings on encrypted email invitations advising recipients to verify the sender’s identity before entering credentials. Despite these measures, past experiences with Google Drive and Docs scams show that combating impersonation outside Google’s ecosystem remains challenging.

Experts acknowledge the trade-off Google faces: either restrict encrypted emails to Gmail users or accept the phishing risks for non-Gmail recipients with added warnings. Given Google's trusted brand and the perceived security of end-to-end encryption, scammers are likely to exploit this feature as a phishing vector.

In conclusion, Google's new encrypted email feature represents a significant step toward improving email security for businesses. However, it also introduces new phishing challenges, especially for users outside the Gmail ecosystem. Organizations and users must remain vigilant and adopt complementary security practices to navigate this evolving landscape safely.