AI-Powered Gmail Attacks Are Getting Harder to Spot. Here Is What Your Practice Needs to Know.

It is a Tuesday morning and one of your staff opens an email that looks exactly like a message from Google. The branding is right, the wording sounds familiar, and it is asking them to verify account access. They click the link. Within minutes, your Gmail account - and everything connected to it - is compromised.

This is not a hypothetical. AI is now being used to generate phishing emails that closely mimic legitimate communications from trusted sources like Google, banks, or even your own colleagues. The emails are personalised, grammatically correct, and increasingly hard to distinguish from the real thing. Around half of all phishing attempts now involve AI-generated content in some form.

For a professional services practice, the consequences go well beyond a hacked email account. Gmail connects to the rest of Google's ecosystem - shared drives, calendar, contacts, saved credentials. If someone gets into your Gmail, they may have access to client files, financial records, and internal documents you assumed were private. Under the NZ Privacy Act 2020, a breach involving client data carries real obligations, including notifying the Office of the Privacy Commissioner at privacy.org.nz if there is likely to be serious harm. That is not a process you want to be managing mid-week.

Beyond phishing, there are other threats worth knowing about. Attackers are exploiting security weaknesses in email platforms before fixes can be deployed - sometimes gaining access to accounts before anyone even knows a vulnerability exists. These are not the clumsy scam emails of a few years ago. They are targeted, fast, and often undetected until damage has already been done. Understanding the ways hackers get into business accounts can help your team stay one step ahead.

The good news is that basic protective measures, applied consistently, significantly reduce your exposure. Multi-factor authentication - where logging in requires a second step like a code on your phone - stops most account takeover attempts even when a password has been stolen. Controlling which third-party apps have access to your Gmail, and removing ones you no longer use, closes off another common entry point. Google also offers an Advanced Protection Program for accounts that need a higher level of security, which is worth considering for practice owners or anyone with access to sensitive client data. For a deeper look at why most breaches are entirely preventable, the role of passwords and MFA is hard to overstate.

The challenge for most small practices is not knowing what to do - it is making sure it actually gets done across every device and every person on the team. One staff member without multi-factor authentication is enough to create a gap. That is where managed IT support makes a practical difference. It takes the configuration and monitoring off your plate and makes sure the basics are in place consistently, not just on the devices of whoever got around to it.

If you have had a suspicious email or want to report a security incident, CERT NZ at cert.govt.nz is the right starting point for New Zealand businesses.

ITstuffed works with professional services practices across Canterbury on exactly this kind of security setup. If you want a quick read on how to think about your broader cyber security posture for your practice, our cyber security page covers what good looks like for a business your size. Or book a 15-minute IT Fit Check at /booking and we can take a look at where things stand.