The team at Malwarebytes says that all Gmail users are at risk from this clever so-called replay attack, with cybercriminals abusing Google’s infrastructure to create emails that appear to come from the firm.

The end game for the crooks is to persuade people into handing over their Google account credentials.

The new attack - which was first spotted by developer Nick Johnson - arrives in the form of an urgent-looking email.

On initial inspection it seems to have come directly from the US firm with the sender's address appearing real.

"The first thing to note is that this is a valid, signed email - it really was sent from no-reply@google.com. It passes the DKIM signature check, and GMail displays it without any warnings," Johnson explained.

The message received by Johnson suggested that a legal subpoena had been issued with access to his account required.

The only reason he spotted something was amiss is that the official site should have been hosted on a platform called accounts.google.com - instead it appeared on sites.google.com.

The difference is, anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did. Google says it is addressing the issue with an update that should stop attacks happening like this in the future.

Speaking to Newsweek, Google said: "We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week."

However, although security is being tightened, now is not a good time to let your guard down, and it's vital to stay alert.

To help email users avoid this new scam, Malwarebytes has released some top tips to help stay safe.

HERE ARE 4 RULES EVERY GMAIL USER NEEDS TO KNOW

• Don’t follow links in unsolicited emails or on unexpected websites

• Carefully look at the email headers when you receive an unexpected mail

• Verify the legitimacy of such emails through another, independent method

• Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

So, be warned when checking your email account and don't be fooled.