At the beginning of April, Google announced the launch of a streamlined tool designed to facilitate business users in sending “end-to-end encrypted” emails. This initiative aims to tackle the challenge of enhancing security protections for email messages. The feature is currently in beta for enterprise users to test within their organizations and will later be extended to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, this feature will enable Workspace users to send secure emails to any inbox. However, email spam and digital fraud researchers caution that despite its benefits for email privacy and security, the feature may also lead to new phishing attacks.
End-to-end encryption safeguards data by keeping it scrambled, except on the sender’s and recipient’s devices, and is challenging to integrate with traditional email protocols. Implementing such mechanisms is typically complex and expensive, suitable mainly for large organizations aiming for specific compliance requirements. In contrast, Google’s tool is user-friendly and requires minimal IT resources. Researchers have expressed concern regarding scenarios where a Workspace user sends an encrypted email to a non-Gmail user.
According to a Google blog post, when the recipient is not a Gmail user, they receive an invitation to view the encrypted email in a restricted version of Gmail. They can then use a guest Google Workspace account to securely view and reply. The concern is that scammers could exploit this secure communication method by creating fake invitations with malicious links, potentially tricking targets into entering their login credentials.
Jérôme Segura, senior director of threat intelligence at Malwarebytes, noted that Google’s implementation introduces a new workflow for non-Gmail users, who may not be familiar with legitimate invitations, making them more vulnerable to fraudulent ones.
Given the technical limitations of email, Google developed a system for an organization’s Workspace to manage keys automatically, a significant challenge in end-to-end email encryption. Although the Workspace-controlled keys mean the feature may not strictly qualify as end-to-end encryption, researchers indicate that it could be highly useful for business compliance purposes. For individuals seeking truly end-to-end encrypted communications, a purpose-built app like Signal is recommended.
When Gmail users receive encrypted emails from a Google Workspace user, Google’s dynamic spam filters and fraud detection mechanisms will be in action to protect against threats. However, email users outside the Google ecosystem can also receive encrypted email invitations, making the service widely accessible but leaving non-Google users to rely on their own defenses.
