AI Hyper-Personalised Google Account Phishing
Attackers use large-language-model tools to craft phishing emails that reference your real Google account activity, recent searches, or Gmail data, making fake Google Security messages feel frighteningly specific and credible.
Part of: AI Hyper-Personalised Phishing Scams
Last reviewed: 8 June 2026
Standard phishing messages are easy to spot because they are generic. AI-powered phishing is different: criminals feed public data and breach databases into language models that generate bespoke messages referencing your name, your Gmail address, your timezone, and sometimes even specific Google services you use frequently.
A message might say 'We noticed a sign-in to your Gmail account from a location unusual for you — the last city you used was [your real city].' That level of personal detail makes the message feel like a genuine Google security alert rather than a mass-blasted scam.
The goal is the same as any phishing attack — to steal your Google account password and bypass two-factor authentication — but the dramatically higher credibility of personalised content means victims are far more likely to click without the usual hesitation.
How this scam works on the Google brand
Google sends real security alerts from domains ending in @google.com or @accounts.google.com. The emails reference your account at a high level but do not include details drawn from third-party data brokers or past breach databases.
In the AI-personalised variant, the fraudulent email references details that Google would not typically include — such as the specific device model you most recently used, a subscription service linked to your Gmail, or a recent purchase confirmation stored in your inbox. This over-knowledge is actually a red flag, not a reassurance.
The email contains a 'Secure My Account' button that links to a convincing clone of accounts.google.com. After entering your Google password, a fake two-factor verification page captures your authenticator or SMS code in real time, completing the account takeover.
Common red flags
- The email references very specific personal details — such as a device name or recent purchase — that Google's standard security emails do not include.
- The sender domain is not @google.com or @accounts.google.com — look at the full From address, not the display name.
- The link destination is a lookalike domain such as 'google-accounts-secure.com' rather than accounts.google.com.
- You are asked to enter your Google password and then a two-factor code on a webpage reached via an email link.
- The tone escalates urgency with countdown timers or threats of immediate account deletion.
- Grammar and phrasing are near-perfect but vocabulary choices feel slightly off — a known AI-generation artefact.
How to protect yourself
- Use a hardware security key or passkey for your Google account — these are phishing-resistant and cannot be intercepted by a fake page.
- Go directly to myaccount.google.com to check for security alerts rather than clicking any email link.
- Enrol in Google's Advanced Protection Program at landing.google.com/advancedprotection if you are at elevated risk.
- Enable Google's suspicious-activity review under Security > Recent security activity in your Google Account settings.
- Use a password manager — it will refuse to autofill on a fake domain even if you cannot see the difference visually.
- Treat any email that seems 'too specific' about your personal activity with extra suspicion, not less.
How to report it
- Report the phishing email to Google by clicking the three-dot menu in Gmail and selecting 'Report phishing'.
- Forward phishing messages to [email protected].
- Report the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- File a report with the FTC at ReportFraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK).
Frequently asked questions
How do scammers know personal details about me to include in the email?
Criminals combine data from previous breaches, public social profiles, and data-broker databases, then use AI to weave these fragments into a plausible personalised message. The data feels uncanny but was never held by Google itself.
Is a very specific security email from Google more likely to be genuine?
Paradoxically, no. Google's legitimate security alerts are intentionally general. An email that references very specific personal data points may actually be a sign of AI-crafted phishing.
What is a passkey and how does it stop phishing?
A passkey is a cryptographic credential stored on your device. Unlike a password, it is bound to the exact domain of the genuine site and cannot be stolen or replicated on a fake page, making passkey-protected accounts immune to phishing.