Fake Google Workspace Admin Credential Phishing
Targeted phishing emails impersonating Google Workspace alerts aim to steal administrator credentials, giving attackers control over an entire organisation's Google environment.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 7 June 2026
Google Workspace (formerly G Suite) powers email, calendar, document collaboration, and cloud storage for businesses of every size. A compromised Workspace administrator account is the keys to the kingdom: attackers can read every employee's email, export all Drive files, modify domain DNS records, or lock out the legitimate administrators entirely.
These attacks are usually targeted rather than mass-phishing. Criminals research a target organisation — often through LinkedIn — to identify the likely IT administrator or owner. They then send a highly personalised email referencing the organisation's Google Workspace domain and claiming a critical policy violation, storage quota breach, or mandatory security update requiring admin re-authentication.
Because the consequence of ignoring a genuine admin alert can be severe, even security-conscious IT staff can be caught off guard by a well-crafted, well-timed fake.
How this scam works on the Google brand
Legitimate Google Workspace admin notifications arrive from @google.com addresses and direct administrators to the Admin Console at admin.google.com. They do not ask for passwords, and they do not ask admins to re-enter credentials on an external page — changes in the Admin Console require the admin to be already signed in.
Fake admin alerts mimic the Google Admin Console branding — the colourful Google logo, the clean card-based layout, and the official-sounding subject lines like 'Action required: Your Google Workspace account requires verification'. The phishing link leads to a convincing copy of the Google sign-in page, but at a domain such as workspace-admin-google[.]com.
In some campaigns, attackers send a fake Google Docs or Google Drive sharing notification — using the real Google Docs notification email format — and embed a link to a phishing page inside a legitimate-looking shared document. Because the notification email itself comes from [email protected] (a real address), email security filters may not catch it.
Common red flags
- An admin alert directs you to a non-google.com sign-in page
- You are asked to re-enter your admin credentials outside the Admin Console
- The email cites an urgent compliance or suspension deadline for the entire organisation
- The shared-document link inside a real Google notification leads to a third-party sign-in page instead of a Google Doc
- The sender address has extra words around 'google', such as googleworkspace-support[.]net
- The alert references your organisation's domain name but the email header shows it was sent to a mailing list or catch-all address
How to protect yourself
- Access the Google Admin Console only by navigating directly to admin.google.com
- Enforce phishing-resistant MFA (hardware security keys or passkeys) for all admin accounts in Workspace
- Enable Google Workspace's Alert Centre and Security Dashboard to monitor for genuine anomalies
- Use the Workspace Audit Log to review recent admin actions if a suspicious alert is received
- Restrict admin privileges to the minimum number of accounts necessary
- Train staff to verify any document-sharing notifications by navigating to drive.google.com directly
How to report it
- Report phishing targeting your Workspace domain at workspace.google.com/support
- Use the Gmail 'Report phishing' menu option to submit the email to Google
- Report to the FTC at reportfraud.ftc.gov (US) or your national cybersecurity authority
- If credentials were compromised, immediately revoke all admin sessions in the Admin Console and contact Google Workspace Support
Frequently asked questions
Does Google ever email admins requiring them to re-enter their password outside the Admin Console?
No. Legitimate Google Workspace admin actions are completed inside the Admin Console at admin.google.com, where you are already authenticated. Google will not email a link that requires you to sign in again on an external page to complete an admin task.
How can a Google Docs sharing notification be used for phishing?
The notification email comes from a real Google address, but it can contain a link to a phishing site embedded in the document itself. When you click 'Open in Docs', you are taken to the real document — but that document may display a button or link pointing to a credential-harvesting page.
My admin account was compromised. What are the first steps?
From a secondary admin account (or via Google's account recovery process), revoke all active sessions for the compromised admin, reset the password, and audit recent admin actions in the Workspace Audit Log. Check that DNS records, email forwarding rules, and third-party app permissions have not been modified.