Fake Google Two-Factor SMS Bypass Scam
Scammers who have already obtained a victim's Google password pose as Google Support and social-engineer the victim into sharing the SMS two-factor code, completing an account takeover.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
Google accounts protected by SMS-based two-factor authentication require both the password and a texted six-digit code. Once scammers have harvested a password through phishing or a data breach, the only remaining barrier is that code. Fraudsters have developed reliable methods to extract it through social engineering, often without the victim realising what has happened.
The most common approach is a phone call or text posing as Google's automated security system. Because Google does send real automated alerts when unusual sign-in attempts occur, a fake version of this notification feels completely natural. The victim, seeing what appears to be a Google security text or call, provides the code thinking they are confirming it was their own sign-in.
This attack underscores why SMS-based two-factor authentication, while better than none, is weaker than app-based authenticators or hardware security keys that cannot be socially engineered.
How this scam works on the Google brand
Google may send real SMS notifications when it detects a suspicious sign-in attempt. These messages say 'Google sign-in attempt on [device/location]' and ask you to confirm whether it was you. Critically, Google's real security texts do not ask you to text back a code or call a number.
In the scam, an attacker who has the victim's email and password attempts to log in. Google sends a real six-digit SMS code to the victim's phone. Simultaneously, the victim receives a call or text from a number spoofed to look like Google, saying 'We detected a sign-in attempt. Please reply with the code we just sent to confirm it is you.' The victim texts back the code — and the attacker uses it immediately to complete the takeover.
Alternatively, the scammer sends a phishing text appearing to be a Google security alert, directing the victim to a fake page where they enter their six-digit code to 'reject' the suspicious sign-in. This is a reversal of intent: the victim believes they are blocking access, but they are actually approving it.
Common red flags
- A text or call asks you to share or reply with a Google verification code you just received
- A message claims you need to 'confirm' or 'reject' a sign-in by entering the code somewhere
- You receive a Google verification code by SMS without attempting to sign in yourself
- The caller or texter claims to be Google's automated security system and asks for the six-digit code
- The instruction arrives simultaneously with a real Google SMS code — the timing is deliberate
- Google's real texts do not ask you to share the code with anyone — they are for your use only
How to protect yourself
- Upgrade your Google two-factor authentication from SMS to the Google Authenticator app or a hardware security key at myaccount.google.com/security
- Never share a Google verification code with any caller or texter, regardless of the reason given
- If you receive an unexpected Google code, immediately change your Google password as someone is attempting to access your account
- Consider enrolling in Google's Advanced Protection Program if you are at heightened risk
- Enable Google's login notifications so you receive alerts for new device sign-ins via the Google app
How to report it
- Report the suspicious call or text to Google at myaccount.google.com/security
- Forward phishing SMS to 7726 (SPAM) in the US and UK to report to your carrier
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- If your account was taken over, begin recovery at accounts.google.com/signin/recovery
Frequently asked questions
Is SMS two-factor authentication safe for a Google account?
SMS two-factor authentication is significantly better than using a password alone, but it can be bypassed through SIM-swapping, SS7 attacks, or social engineering of the type described here. For stronger protection, Google recommends using the Google Authenticator app, Google prompts, or a FIDO2 hardware security key.
Why does Google's real security system send a code to my phone?
The code is a one-time token that verifies you have physical access to the phone number registered on your account. It is meant only for the person signing in — you should never share it. If you did not initiate a sign-in, receiving a code means someone else is trying to access your account.
I shared my Google code with a caller. What should I do?
Act immediately. Go to myaccount.google.com and change your password. Check Security > Your devices for any new sign-ins and revoke them. Review recovery email and phone number in Security settings to ensure they have not been changed. If locked out, use accounts.google.com/signin/recovery.