Watch out - that Google Tasks email could be a scam, and land you in hot water at work

Hackers uncover a new legitimate tool to abuse

News By Sead Fadilpašić published 27 February 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter

Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Hackers are abusing Google Tasks to deliver phishing emails
• Fake tasks trigger legitimate Google notifications, bypassing spam filters
• Victims see trusted Google domain, but links lead to credential-stealing pages disguised as login screens

Hackers are exploiting Google’s to-do service to launch phishing attacks and bypass spam email filters.

Google Tasks is a simple task management app that comes as part of its Workspace suite, helping users organize and track to-do lists, and integrate them with Gmail, Google Calendar, and other Google services.

But a new Kaspersky report has warned, cybercriminals have started creating fake tasks and assigning them to people by adding their email addresses. When that happens, Google automatically sends out a notification to the email added in the task, bypassing all email protections and landing directly in the victim’s inbox.

Countering the threat

When the victim opens the email, they will see it came from a legitimate Google domain, and that it follows the usual company email format. In the task’s description, however, there is a link that leads to a malicious landing page.

The landing page is designed to look like the regular Google login page, and people who click it - especially those who are in a hurry - most likely won’t see it as anything unusual.

Those who try to log in this way will relay their credentials to the attackers, who can then take over their entire Google account and all the data found there.

This is not the first and definitely won’t be the last legitimate service being abused in phishing campaigns. Cybercriminals used to do the same thing with Calendar. By setting up fake meetings and sending notifications to people, they were able to abuse legitimate domains to bypass filters and land the emails into inboxes.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors