As AI features like Gemini become routine in Gmail, they offer convenience but also unexpected risk. Cybercriminals now weaponise Gemini’s “Summarise this email” tool via hidden instructions embedded in emails. These so-called prompt-injection attacks can turn AI into a phishing accomplice.
If you rely on AI-generated summaries, this article shows why caution is essential.
Invisible Prompts that Mislead the AI
Attackers hide HTML/CSS instructions, white text or zero‑size font, in the email body. These hidden prompts tell Gemini to include phishing warnings, like “Your Gmail password has been compromised. Call support immediately.”
When users click “Summarise this email,” Gemini faithfully executes the command, showing a seemingly legitimate warning that actually comes from the attacker. There’s no visible suspicious content in the email itself, making standard spam filters ineffective.
This method, known as indirect prompt injection, feeds hidden commands disguised within an email. Gemini’s prompt parser gives priority to text wrapped in tags like <Admin>, even if styled to vanish visually.
The AI treats this hidden text as high-priority instructions, executing it verbatim in the summary pane. Users, seeing the message from Google’s own AI interface, rarely question it.
Massive Exposure, Up to 1.8 Billion Users at Risk
Google’s recent warnings cover roughly 1.8 billion Gmail users, including Workspace and Google One AI subscribers. Though Google says no active attacks have been confirmed, the vulnerability affects any user who uses Gemini’s summarisation function. The fact that real-world exploitation hasn’t been observed yet doesn’t diminish the threat’s potential scale.
Unlike typical phishing attacks, these malicious emails contain no unfamiliar attachments, links, or domains. They evade conventional filters and mimic official alerts. The AI-generated message appears credible, and most users trust Google’s own interface over conventional scepticism. That built-in trust makes the scam effective and hard to detect.
Protecting Yourself and Your Organisation
Security experts and Mozilla’s 0Din team recommend several steps:
- Disable or avoid using the “Summarise this email” function until a fix is confirmed
- Filter or inspect incoming emails for hidden HTML markers such as zero-font or white-text spans
- Implement post-processing filters to flag Gemini summaries containing phone numbers
- Urgent calls to action, or suspicious URLs
- Train users to recognise that AI-generated summaries are not authoritative for security alerts.
Enterprise IT teams should treat AI tools as part of their threat surface: sandbox, monitor, and audit their behaviour.
Think you’re safe using AI summarisation in Gmail? Not necessarily. Scammers can hide invisible commands within emails to turn Gemini into a phishing vector. These “prompt‑injection” attacks may seem novel, but they’re effective and hard to catch.
Until Google implements stronger defences, users must remain vigilant. Don’t let AI auto-trust replace your cyber-sense. Treat AI-generated messages as helpful tools, not verified alerts.
Stay tuned to Brandsynario for latest news and updates
