Fake Google Account Security Alert Phishing
Phishing emails styled as Google security alerts claim your account has been accessed from an unknown device and drive you to a fake Google sign-in page that captures your Google credentials and backup codes.
Part of: Fake Suspended Account Appeal Scams
Last reviewed: 7 June 2026
A Google account is far more than email. It stores your Search history, location timeline, Google Drive files, YouTube channel, Google Pay methods, and every app downloaded from the Play Store. For many people, losing control of their Google account would be more disruptive than losing their wallet — which is why fake Google security alerts are so effective.
Scammers send messages that replicate the look and wording of genuine Google 'New sign-in' or 'Critical security alert' notifications. These real notifications are part of Google's Advanced Protection and standard account security systems, so recipients are conditioned to take them seriously.
The fraudulent messages typically state that a sign-in was detected from a new device in an unusual location — often listed as a foreign country to heighten anxiety. They direct the recipient to a fake 'accounts.google.com' page where entering credentials hands them directly to attackers.
How this scam works on the Google brand
Google's real security alerts are sent from [email protected] and direct users to myaccount.google.com. They display the device type, operating system, and approximate location of the sign-in, and they offer two clear options: 'Check activity' and 'No, secure account' — both of which link only to myaccount.google.com, never to third-party domains.
Fake alerts often mimic this two-button layout. However, both buttons link to the same phishing domain. Some sophisticated versions use open-redirect vulnerabilities on legitimate Google services (such as Google AMP or Google Translate) to display a google.com URL in the browser bar that eventually resolves to a phishing page — making the URL check alone insufficient.
After capturing your Google password, the fake site shows a second screen requesting your 'Google Verification Code' or 'backup codes'. Real Google recovery codes should never be entered anywhere except when you explicitly initiate account recovery at accounts.google.com. Attackers use the backup code to disable two-factor authentication and permanently lock victims out.
Common red flags
- Sender address is not [email protected] — look past the display name to the actual domain
- Both 'secure account' and 'check activity' buttons lead to the same non-google.com URL
- The page asks for your Google backup or recovery codes — only enter these during a recovery you initiated
- The alert does not show the specific device model or OS, only vague references to 'a new device'
- The sign-in page URL contains 'google' as a word inside a longer non-Google domain
- A sense of extreme urgency — 'your account will be deleted in 48 hours unless you act'
How to protect yourself
- Go directly to myaccount.google.com to review recent security activity — never via links in emails
- Enrol in Google's Advanced Protection Program if you are at elevated risk; it requires a hardware security key
- Use passkeys instead of a password where available in your Google Account settings
- Never enter Google backup codes on a site you reached via an email link
- Check connected apps and third-party access at myaccount.google.com/permissions and revoke anything unfamiliar
- If you suspect compromise, use myaccount.google.com/security-checkup immediately
How to report it
- Report phishing emails by clicking the three-dot menu in Gmail and selecting 'Report phishing'
- Forward phishing emails to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If your account was taken over, start recovery at accounts.google.com/signin/recovery
Frequently asked questions
How do I check if there really was an unauthorised sign-in to my Google account?
Visit myaccount.google.com, then go to Security > Your devices and Security > Recent security activity. If you see a device or location you do not recognise, select it and choose 'Sign out'. Then change your password.
What are Google backup codes and why do scammers want them?
Backup codes are one-time codes generated in your Google account security settings for use when you cannot access your normal two-factor method. If a scammer obtains one, they can use it to bypass two-factor authentication and change your account recovery options, locking you out permanently.
Can scammers use my Google account to access other sites?
Yes. If you use 'Sign in with Google' (OAuth) for other services, a compromised Google account can give attackers access to those linked accounts as well. Reviewing permissions at myaccount.google.com/permissions is important after any suspected compromise.