As of March 31st, Google is allowing users to change their primary Gmail address username. Although a nice feature for those who created unfortunate names originally, it may also undermine spam and phishing blocking.

The feature is intended to allow the user account to be changed while keeping the underlying account intact. The original name then becomes an alias, so the user will get their messages regardless of which address is used. Swell for some who want to change their account name but not lose their emails, calendar, and connections with others.

But there may be a sinister side to this. Gmail is a favorite for spammers, fraudsters, and phishing hackers. Although many providers use sophisticated filters that are based on reputation systems, behavioral signals, and infrastructure validation to block the bulk of malicious messages, some get through.

Recipients then have the ability to create a personal block as a final line of defense. Many people, including myself, will block addresses that flood my inbox with such inappropriate content, rendering future attempts by that account no longer a threat in my inbox. I have hundreds of email addresses blocked (to the dislike of spammers and social engineers).

The Attackers Advantage

If the attackers realize their list of targets is dwindling due to blocks, they can rename their accounts and be back in business to try again. This is convenient as fraudsters want to retain all the email engagements, customer lists, and information gathered as part of their campaign.

I believe most email providers use email addresses for the end-user blocks and don’t dive in any deeper. So, renaming the account is like starting fresh, and a malicious email that found its way through the bulk filters can then get into the inbox, until it is blocked again.

Right now, attackers are forced to create new email accounts, which is not that hard, but it can be time-consuming, and verification eventually becomes a problem. This option will reduce that friction and may increase the effective distribution of more spam and phishing.

Limits for Abuse

Google may have considered these potential downsides. They have instituted limits that will help the situation. A user can only rename their account once every 12 months and for a total of 3 times.

This may regulate some of the misuse by spammers and fraudsters, but I fear my list of blocked addresses, which are mostly Gmail accounts, will likely be undermined shortly, and my inbox once again flooded by unwanted and dangerous messages from adversaries who already possess my email address in their bulk distribution tools.

*** This is a Security Bloggers Network syndicated blog from Information Security Strategy authored by Matthew Rosenquist. Read the original post at: https://infosecstrategy.blogspot.com/2026/04/gmails-new-rename-feature-could-add.html