Fake 'Sign in with Google' OAuth Consent Phishing Scam
Scammers create malicious OAuth apps that abuse the legitimate 'Sign in with Google' flow, tricking users into granting third-party apps broad access to their Google account, email, and contacts.
Part of: Social Login & OAuth Phishing
Last reviewed: 8 June 2026
Google's OAuth consent screen — the 'Sign in with Google' button — is a genuine and widely used authentication method. When a third-party service requests access, Google displays a consent screen showing exactly what permissions are being requested before the user approves.
Criminals abuse this system by creating OAuth applications with innocuous-sounding names ('Document Viewer,' 'PDF Converter,' 'Meeting Scheduler') that request sweeping permissions including access to Gmail, Google Drive, Contacts, and Calendar. Because the consent screen appears on a genuine Google domain (accounts.google.com), users may trust it without scrutinising the permissions.
Once granted, the attacker's app has persistent access to the account without needing the user's password, and this access survives password changes unless explicitly revoked.
How this scam works on the Google brand
The victim receives a phishing email, a malicious ad click, or a social media link offering a useful free tool — a document merger, a travel planner, or an email productivity app. When they click 'Get Started,' they are redirected to a genuine Google OAuth consent screen for an app owned by the scammer. The requested permissions include 'Read, compose, send, and permanently delete all your email' and 'See and download all your Google Drive files.'
Because the page is genuinely on accounts.google.com with a valid Google SSL certificate, even security-aware users may approve. The attacker's server then uses the granted access token to exfiltrate emails, download files, access contacts, or send phishing emails from the victim's own account to their contacts.
Some campaigns specifically target business accounts, using contact lists harvested from one victim to send convincing spear-phishing to colleagues.
Common red flags
- The OAuth consent screen requests far more permissions than a simple productivity tool would need.
- The app name is generic and the developer name is unfamiliar or a random string.
- You are being asked to 'Sign in with Google' for a service you did not seek out or that arrived in an unsolicited email.
- The requested permissions include access to Gmail, Drive, or contacts for an app that only needed a login.
- The app has no privacy policy link, or the privacy policy is a placeholder.
- You approved a Google app and shortly afterward noticed unusual sent emails or shared files.
How to protect yourself
- Review all third-party apps connected to your Google account at myaccount.google.com/permissions and revoke any you do not recognise.
- Before approving an OAuth consent screen, read every permission carefully — a PDF viewer should not need access to your Gmail.
- Use Google's Advanced Protection Program (g.co/advancedprotection) if you are a high-risk user such as a journalist or executive.
- Set up login notifications so you are alerted to new device sign-ins and third-party app authorisations.
- If you granted a malicious app access, revoke it immediately at myaccount.google.com/permissions and then review your sent folder and shared Drive files for any suspicious activity.
How to report it
- Report the malicious OAuth app to Google at support.google.com/accounts/troubleshooter/2402620.
- Report the phishing email or link to [email protected].
- File a report with the FTC at ReportFraud.ftc.gov.
- If business data was exfiltrated, notify your organisation's IT security team and, if required, your data protection officer.
Frequently asked questions
Is 'Sign in with Google' always safe to use?
The underlying Google OAuth mechanism is secure, but the permissions an app requests may be overly broad or abusive. Always read the consent screen carefully and reject apps that ask for more access than their function requires.
Does revoking a third-party app immediately cut off its access?
Yes. Revoking an app at myaccount.google.com/permissions invalidates its access token immediately. However, any data already downloaded by the app before revocation is not retrieved.
How do I know if an app already has access to my Gmail?
Go to myaccount.google.com/permissions and look for apps listed under 'Third-party apps with account access.' Review each one and remove any you do not recognise or no longer use.