July 15, 2025

Phishing Through AI? Hidden Email Prompts Can Trick Google’s Gemini

Phishing Through AI? Hidden Email Prompts Can Trick Google’s Gemini

By Angelina Maksimovic

As AI tools have become integrated into our daily workflows, customer experience professionals must remain aware of emerging risks. One such concern has just come to light, as Google’s Gemini chatbot can potentially be manipulated to spread phishing attacks.

Gemini, part of Google Workspace, provides a host of features that automatically summarise the content of emails. It’s meant to save users time by extracting key points, especially in long or complex messages. But according to new research disclosed through Mozilla’s 0DIN bug bounty program, this convenience comes with an exploitable weakness.

Researchers discovered that malicious actors can embed invisible prompts in the body of an email to manipulate Gemini’s AI-generated summaries. These hidden instructions can trick Gemini into displaying false alerts in the summary, such as a warning that the user’s Gmail password has been compromised, along with a fake customer support number to call.

How the Attack Works  

The vulnerability exploits prompt injection, a type of adversarial attack targeting AI models. In this case, the attacker hides instructions inside the email using zero-font text (which makes the text invisible to human readers) and white colouring. While the content isn’t visible to the recipient, Gemini still reads and processes it.

When the user clicks “Summarise this email,” Gemini includes the attacker’s fabricated alert in the summary. This could easily trick an unsuspecting reader into believing it’s an official Google warning, pushing them to take actions like calling a fake support line or clicking on a malicious link.

Google’s Response  

Google has acknowledged the vulnerability and responded swiftly. A spokesperson told PCMag that the company conducts regular red-teaming exercises to train its models to resist such attacks. They also confirmed that the specific exploit demonstrated by 0DIN has been patched, and no active cases of this method being used in real-world phishing attempts have been reported.

Additionally, Google published a blog post outlining its broader efforts to defend against “prompt injection” attacks across its AI services.

What This Means for Users and Security Teams  

For end users, especially those who rely on Gemini summaries to triage or prioritise emails, it’s important not to treat AI-generated summaries as gospel. Always read the full content of an email before acting on any urgent request or alert, even if it appears in the summary.

Security teams and CX leaders should consider implementing additional safeguards:

  • Flag emails containing zero-font or hidden text.
  • Train employees to be cautious with AI-generated summaries.
  • Educate teams about the potential manipulation of AI tools.
  • Monitor summaries for unexpected language or suspicious instructions.

This proves that AI tools can be manipulated just like any other system. While automation and summarisation features can improve productivity, they must be used with caution and supported by clear user training and awareness protocols.

Digital Experience

Related articles

CX and Automation Demands Will Drive European AI Investment to $5 BillionToo Smart to Scam? Think Again, as AI Fraud Is Outsmarting Us AllToo Smart to Scam? Think Again, as AI Fraud Is Outsmarting Us AllCEOs make big big push for AI but less work/life balance