Google’s Gmail Upgrade—Why You Need A New Email Address In 2025

Republished on December 25 with the implications of responses to a new U.S. government warning and advice on staying safe on Gmail and changing your email address in 2025.

Your inbox is under attack. The FBI has issued yet another warning ahead of the holidays, highlighting an alarming surge in email and website threats, just as multiple cyber reports claim this is the most dangerous holiday season yet. Even though Google “blocks more than 99.9% of spam, phishing and malware in Gmail,” it’s not enough. But now change is on the way. And for Gmail’s 2.5 billion users, 2025 looks like being the year your email address should finally change.

“With more than 2.5 billion users,” Gmail, the world’s largest email provider, is now deploying “ground-breaking AI models [to] significantly strengthen Gmail cyber-defenses, including a new LLM trained on phishing, malware and spam.” But as McAfee has just warned, that AI revolution works both ways. “As AI continues to mature and become increasingly accessible, cybercriminals are using it to create scams that are more convincing, personalized, and harder to detect.”

ForbesNew iPhone, Android Warning—Do Not Install These AppsBy Zak Doffman

Email remains an appallingly basic technology. Despite all its advances, the core architecture remains the same. Anyone can access anyone else’s inbox with just an email address. Those addresses are basically given away for free—harvested, leaked, stored, searchable. This month, Mailmodo says, “spam messages [will] account for more than 46.8% of email traffic.”This is why enterprises are looking for new solutions—Teams, Slack, even instant messaging platforms. because even with all the advances and the “outside sender” and “untrusted sender” warnings, too many emails get through.

The answer is to restore some semblance of address security and not give away real email addresses like confetti—a situation made worse given email address are often a primary user credential alongside passwords to log into sites and services. Apple has tried to address this with Hide My Email, “to keep your personal email address private… you can generate unique, random email addresses that forward to your personal email account, so you don’t have to share your real email address when filling out forms or signing up for newsletters on the web, or when sending email.”

And as I reported in November, Google is developing something similar for Gmail. Discovered by Android Authority in an Android APK teardown, “Shielded Email consists of a system to create single-use or limited-use email aliases that will forward messages along to your primary account.”

This is a major step forwards and you should make use of this when it arrives—as should Apple users now. Just look at one warning issued to marketeers when Hide My Email was released: “Now users can create a limitless number of fake addresses they don’t even check, dramatically reducing engagement. And, worse still, they can easily deactivate them without affecting their primary email, meaning marketing databases could be full of ‘dead’ addresses. This is important because a low deliverability rate can affect sender reputation, meaning your carefully crafted campaign ends up in spam.”

While Google assures that “by spotting patterns and responding rapidly, [its Gmail] LLM alone blocks 20% more spam than before and reviews 1,000 times more user-reported spam daily,” the threat will get worse again in 2025. McAfee says that “AI is giving cybercriminals the ability to easily create more personalized and convincing emails and messages that look like they’re from trusted sources, such as banks, employers, or even family members. They can craft these scams quickly and with precision, making them more difficult to detect and increasing their success rate. As AI tools become more accessible, these types of attacks are expected to grow in sophistication and frequency.”

Email must change—and not just by improving central screening technologies. We need a radically different approach to include the following:

1. On-device AI to flag spam and malicious email that has made it through central screening to inboxes. Too many emails still make it though, even though the actual email address and the presentational “sender” address don’t match, with the latter a clear impersonation. How is it possible in 2024 that my inbox contains emails from ‘Apple Support’ or ‘X verification,’ when the senders have random email addresses such as ‘sayio[at]hosai.co.jp’.
2. A better opt-in, known sender solution—mimicking secure messaging. Even the differentiation of trusted and unknown senders is too basic. There needs to be better deployment of AI or an easy-button for user to opt into a trusted discussion and advocate for a sender.
3. Rather than upping the ante centrally, email security needs to do a better front-end (device-side) job. This is where safe browsing and malware defenses are now heading, making use of new device AI processing. Email needs a complete rethink to do the same.

When Elon Musk (again) teased that he may launch an Xmail platform to take on Gmail, the blending of email and messaging featured front and center. The sweet spot is the universal compatibility of email without the mess. When one X post suggested that cutdown approach, Musk responded: “That’s exactly what we are going to do.”

But that opt-in or trusted sender filter remains critical, as it’s that which opens inboxes to the world and sets email apart from closed messaging alternatives.

Gmail isn’t the only such challenge facing Google users. The other is RCS, which has been making continual headlines this month following an FBI warning for users to stop sending insecure RCS texts between Androids and iPhones. As Android Police asked on Monday, “did RCS messaging open up the spam floodgates?”

RCS is fast becoming a marketing sensation, just as with email the value is that you can access anyone with just their phone numbers. There’s no real universal marketing filter, and because this is a standard cellular protocol, no-one is really running the show, because it’s a collective. It then falls to the RCS compliant messaging apps to apply a front-end filter—just as with email—which should work but doesn’t—yet.

“Mobile spam has evolved alongside messaging technology, and RCS may have worsened things,” Android Police says, and while “email scams were cheaper, easier, and more effective than SMS scams in the past,” RCS has changed all that now. The answer, the report says, is that “RCS spam can’t be eliminated. We can only rely on good security and spam filtering.” Unfortunately, that’s just like email.

This is interesting because it provides a timely parallel to email, pitching the standard (SMS/RCS) with its spam and security challenges with newer (albeit not new) alternatives that take control of the end-to-end experience, and provide a simpler, more secure user experience.

And the scale of the RCS spam threat is huge—the risk being that it becomes just like email, making the underlying technology almost unusable as a daily messenger. Last month, Juniper Research reported a 50% year-on-year hike. “RCS business messaging traffic will reach 50 billion messages globally in 2025; Apple’s first full year of support for the technology. This represents a single-year growth from 33 billion in 2024.”

WhatsApp and other over-the-top messengers are not immune from spam, but it’s significantly less of a problem. And the platforms can easily police what’s sent out and by who, and the controls they provide users to filter this out. Moving from SMS/RCS to an over-the-top is exactly the kind of clean start you can attempt with a clean email address. But it’s much easier.

“RCS spam can’t be eliminated, Android Police says. “We can only rely on good security and spam filtering. Recent advancements in deciphering spam through AI have led to improvements, and there is potential for significant spam reduction in the near future. Fine-tuned large language models (LLM), along with natural language processing (NLP), are positioned to surpass current spam detection systems and will make their way to RCS messaging. There’s more to RCS chat than E2EE and spam filtering, so seeing how Google and the GSMA tackle this still-growing problem will be interesting.” Again, it’s just like the tinkering approach to spam on Gmail and the other leading platforms, rather than the fundamental rethink needed.

And so, when Musk teases the idea of a new platform that zeroes out the slow evolution to the mess we have today with something that can start with privacy and usability and simplicity in mind, it’s interesting. In reality we don ‘t need something this drastic, and the transition would be woefully complex.

ForbesForget Chrome—Google Starts Tracking All Your Devices In 8 WeeksBy Zak Doffman

In the meantime, take control. Yes, you need to use Hide My Email or Gmail’s new Shielded Email as soon as it’s available to create new addresses. But if you have an email address that has been around for years, then it has become a honey trap for spam and worse. It’s time for something new, a primary email address you will better protect through multiple throw-away, masked addresses, without giving that primary address away. You can slowly migrate from one account to the other, and in the meantime use folders, rules and forwarding to capture emails to your old address.

Using new email masking technologies is undermined if the primary address they link to has already been extensively harvested, sold and leaked. With 2025 just days away and threats surging, perhaps make email housekeeping one of your New Year resolutions and think about the risks associated with the addresses you’re using now.

It’s an unhelpfully tough environment these days, for regular users to determine right from wrong and to pick the right advice to follow. Just look at the latest advice on X from CISA’s Jen Easterly, with a simple set of recommendations to help Americans stay safe as the holidays began: “This holiday season, Easterly posted, “Lock your devices, avoid public Wi-Fi, keep your accounts secure. ‘Tis the season to stay safe online!”

A quick scan of the comments below her post tells us all we need to know. There’s nothing simple or straightforward these days. Even simply advice is open to question and criticism. And for non-expert users taking an interest and looking to do the right thing, it’s easy to become confused.

So what approach should you take?

Well, on the specifics of Easterly’s comments. Public Wi-Fi in regular places is usually okay. But make sure you only access encrypted sites, use a VPN if you’re at all concerned, and don’t ever break any of the rules around links and downloads. That includes any links or installs from the internet access splash pages that might show up.

Keeping devices locked and accounts secure is common sense. And that’s the crux for everyone reading this and taking an interest. You will know whether your email address has run its course, whether you find your account tricky to use as you wade through countless spam and frauds hoping not to get caught out—remember, they only need to catch you once, you need to catch them every time.

We saw the same with the FBI’s holiday season warning, which harped back to its phishing advice from a few years ago. The world has changed and the threat landscape is now much worse—especially with AI. But the need to apply common sense and trust your instincts remains the same.

In the last few days, Google published its own list of the four steps you can take to stay safe—and they’re worth keeping in mind, whether or not you elect to change your address our even to make use of the new Shielded Email feature when it’s available, likely within the next few months.

“Gmail has a very high rate of success combating these types of scams, but scammers are persistent. Whether it’s during the holidays or otherwise, users should follow these golden rules:

• Slow it down. Scams are often designed to create a sense of urgency, and often use terms like “urgent, immediate, deactivate, unauthorized, etc.” Take time to ask questions and think it through.
• Spot check. Do your research to double-check the details of an email. Does what it’s saying make sense? Can you validate the email address of the sender?
• Stop! Don’t send. No reputable person or agency will ever demand payment or your personal information on the spot.
• Report it. If you see something suspicious, mark it as spam. You’ll be making your Inbox cleaner and helping billions of others too.”

Google also provides a list of the most common scams targeting its Gmail users. Again, for the sake of ten to fifteen minutes, you should take a read. It’s worth keeping it all in mind.

This holiday season, Google is drawing attention to three scams in particular:

• “Invoice scams: This method involves scammers sending fake invoices to unsuspecting users, typically trying to solicit phone calls to dispute the “charges” and using this connection as a way to convince victims to pay them. These scams aren’t new, but are persistent and incredibly prevalent this holiday season.
• Celebrity scams: Over the past month, many of the most common scams popping up reference famous people, either pretending to come from the celebrity themself or claiming a given celebrity is endorsing a random product. The associations don’t always make much sense, but the goal of these campaigns is to use the association to build trust and trick people into engaging with “too good to be true” scenarios.
• Extortion scams: This brand of scam is vicious and scary. Victims receive emails with details on their home address, sometimes even including a picture of the location. There are a few different versions of the messages, but they generally either include threats of physical harm or threats of releasing damaging personal material they say they acquired through a hack.”

The common denominator is your email address. If a scammer doesn’t have it, then they can’t email you. A protected primary address and a set of temporary addresses you can disable or redirect resolves this. At which point you needy to ask how does your email address find its way onto their lists. Per EasyDMARC, it’s pretty obvious where the data comes from:

• Lists bought from dark web or data providers
• Openly available email addresses on social media
• Email harvesting (using bots to search the internet for standard format email addresses)
• Social engineering posts and online multiplayer games

Take a look at that list and ask yourself where your email is currently available and how you can change that. The advice is to be careful where you leave your email address, especially with websites you don’t completely know and trust. But in reality, even the websites you trust can seller leak your data. As soon as your email address gets out into the wild, there’s no telling where it will end up.

ForbesSamsung Updates Millions Of Phones For 2025–Galaxy Now More Like iPhoneBy Zak Doffman

And so let’s return to that common sense point. I’m guessing you are careful where and with who you share your phone number. You likely don’t publish it on your public facing social pages or provide it to everyone who asks. But you’re still inundated with cold calls. The reason it’s even worse with email is the scammers don’t need to try very hard to find your details and add you to their lists. You much more willingly share a communications address that reaches you directly.

Which takes us back to the email address theme for 2025. At some point something needs to change. We need to be mindful of who can contact us and how easily they can do so. With McAfee’s warning ringing in our ears—that it’s so much easier now to successfully trick us using AI—that time is now.

Yes, it’s painful to change an email address or open a new Gmail account—it’s also painful to change a cell number. But if you were being hit by dozens of fraudulent cold calls per week, you’d do so.