Deepfake Voice Google Account Security Alert Scam
Criminals use AI-synthesised voices to impersonate Google's automated security system or Google account specialists, calling victims to warn of a breach and extracting Google account credentials or backup codes during the call.
Part of: Deepfake Voice Scams
Last reviewed: 8 June 2026
Google does send automated security notifications by email and SMS for some account events, and Google's own voice assistant technology has made computer-generated voices familiar to billions of people. Criminals combine these two facts to create deepfake voice scams that feel like they originate from Google's own systems.
An unsolicited call arrives with a caller ID spoofed to show 'Google LLC' or a number that matches a real Google corporate line. An AI voice announces that unusual sign-in activity was detected on the victim's Google account and that the account may be compromised. The victim is asked to press a digit to speak with a Google security specialist.
The 'specialist' — either another AI voice or a live scammer — then requests the victim's Gmail address, recovery codes, or two-factor authentication codes to 'verify the account and stop the unauthorised access'.
How this scam works on the Google brand
Google does not make unsolicited outbound calls to users about account security incidents. Genuine Google security alerts are delivered via email to the account's registered address and through the account's Security section at myaccount.google.com. The only Google-initiated calls are those users schedule themselves through Google's support options.
The deepfake call leverages familiarity with Google's voice assistant aesthetic — clear, professional, and calm. It references a real concern (unauthorised sign-in) and uses specificity (a region name, a device type) assembled from public information to make the alert feel targeted.
If the victim provides a backup code or authenticator code, the attacker uses it immediately to bypass two-factor authentication and take over the Google account. They then add their own recovery details, locking the victim out.
Common red flags
- An unexpected call claims to be Google Security — Google does not make unsolicited security calls.
- Caller ID shows 'Google LLC' or a Google number — this is easily spoofed.
- The voice sounds synthetic, overly even, or has small glitches at sentence transitions.
- The call asks for your Gmail password, recovery codes, or a two-factor authentication code.
- The call creates urgency: 'Your Google account will be suspended in the next 15 minutes.'
- After pressing a digit you are connected to someone who continues to press for verification codes.
How to protect yourself
- Hang up on any unexpected call claiming to be Google — then check your Google account at myaccount.google.com yourself.
- Never share your Google password, backup codes, or 2FA codes with anyone on an inbound call.
- Enable Google's Advanced Protection Program at landing.google.com/advancedprotection for highest-risk accounts.
- Use a passkey or hardware security key for your Google account to prevent code-based takeover.
- Review your Google account security activity at myaccount.google.com/security after any suspicious contact.
- Register your number with the Do Not Call registry to reduce overall unsolicited call volume.
How to report it
- Report the spoofed number to the FTC at DoNotCall.gov (US) or Ofcom at ofcom.org.uk/complaints (UK).
- Report phishing or scam calls related to Google accounts at [email protected].
- File a report with the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If your account was compromised, use Google's account recovery at accounts.google.com/signin/recovery.
Frequently asked questions
Does Google ever call users about account security problems?
Google does not make unsolicited outbound security calls to users. All genuine Google security alerts are delivered by email and through the Google Account security page. The only calls Google makes are those you schedule yourself through Google's support portal.
What are backup codes and why would a scammer want them?
Backup codes are one-time codes generated by Google that can bypass the normal two-factor authentication step. If a scammer has your password and a backup code, they can complete a login without needing your phone, fully taking over your account.
I gave the caller a backup code. What should I do?
Go to myaccount.google.com/security immediately, generate new backup codes (which invalidates the old ones), change your Google password, and review all active sessions. Contact Google's support through the account's Security section if you need further assistance.