YouTube Channel Strike Phishing Scam
Emails impersonating YouTube warn that a channel received a copyright or community-guidelines strike and will be terminated unless the creator logs in through a fake link, handing over credentials that lead to full channel takeover.
Last reviewed: 5 July 2026
What this scam is
This scam impersonates YouTube's real copyright strike and community guidelines enforcement system, which is a genuine and often stressful process for creators since accumulated strikes can result in permanent channel termination. Scammers exploit the fact that creators already fear this outcome and monitor their channels closely for exactly this kind of notice.
The fraudulent email or in-app-style message claims a specific video has triggered a strike and gives a short window to appeal before the channel is terminated. The appeal link leads to a highly convincing clone of Google's sign-in page, since YouTube accounts are tied to Google credentials rather than a separate login system.
Because a compromised Google account can expose far more than just YouTube — including Gmail, Google Drive, and any other linked service — this variant of channel-takeover phishing is particularly damaging. Scammers typically strip the channel of its identity, rename it, and use its subscriber base to promote further scams, most commonly fake cryptocurrency giveaways.
How it works
The email closely mimics YouTube's real strike notification format, referencing a specific (often vague or generic) video title and citing a Community Guidelines or Copyright violation. It states that a third strike, or a serious first-time violation, will result in permanent channel termination within a short deadline, usually 24 to 48 hours.
An 'Appeal Now' or 'Submit Appeal' button leads to a page cloned from Google's account sign-in screen, hosted on a domain designed to look similar to accounts.google.com at a glance. After the creator enters their email and password, a follow-up screen requests the two-factor authentication code just sent to their device, framed as necessary to confirm identity for the appeal.
With both factors captured, the scammer logs into the real Google account within minutes, before the code expires. They typically disable or change the account's two-factor settings immediately to prevent recovery, then access YouTube Studio to rename the channel, delete existing content, and repurpose the subscriber base to livestream or promote a scam, often a fake celebrity-endorsed cryptocurrency giveaway using the channel's stolen credibility.
Why this scam works
For a creator, a channel represents a long accumulation of work, and the threat of permanent termination triggers a fear response strong enough to override the caution normally applied to a login request. Because real copyright and strike systems exist and channels genuinely do get terminated, the threat is entirely plausible on its face.
The use of a cloned Google sign-in page rather than a YouTube-branded page adds credibility, since creators recognise Google's login flow as familiar from daily use across many services, and the request for a two-factor code arrives immediately after a real code has been sent, which makes the sequence feel like a normal part of the process rather than a second attack step.
A typical pattern
A creator running a mid-sized YouTube channel receives an email formatted exactly like YouTube's official strike notifications, claiming a recent upload violates community guidelines and that the channel will be permanently terminated within 24 hours unless the creator submits an appeal through the provided link. Alarmed at the thought of losing years of uploaded content and subscriber history, the creator clicks the link, which opens a page replicating Google's account sign-in screen precisely, including the real Google logo and layout. The creator enters their email and password without noticing the URL is subtly wrong, and the page then requests the two-factor code just sent to their phone to 'confirm identity for the appeal'. Within minutes the scammer logs into the real account, removes the creator's own two-factor authentication, and renames the channel to promote a cryptocurrency scheme, wiping out the original content and locking the creator out for days while they fight to recover access through Google's support process.
Common red flags
- Urgent deadline threatening permanent channel termination within 24-48 hours
- Link leads to a sign-in page that is not exactly accounts.google.com
- Request for a two-factor code immediately after entering a password on an external page
- The alleged strike does not appear in your real YouTube Studio dashboard
- Email references a vague or unnamed video rather than a specific upload you recognise
- Sender address is not an official youtube.com or google.com domain
- Message combines the strike threat with an unrelated request, such as payment or personal identification details
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your channel [Channel name] has received a copyright strike and will be permanently terminated in 24 hours. Submit your appeal now at [link].
Community Guidelines Violation: A recent upload has triggered a strike on your account. Appeal within 48 hours to avoid termination.
Your YouTube Partner Program membership is under review due to a policy violation. Verify your account at [fake link] to avoid suspension.
We sent a verification code to your device. Enter it now to complete your channel appeal and prevent permanent deletion.
Common variations
- Copyright strike variant citing a specific uploaded video and a named rights holder
- Community Guidelines strike variant citing hate speech, misinformation, or harassment policy violations
- Monetisation suspension variant threatening removal from the YouTube Partner Program instead of channel termination
- Live-stream hijack aftermath, where a taken-over channel immediately starts a fake crypto giveaway livestream
- AdSense payment verification bundled with the strike notice to also harvest banking details
How to verify before you act
Genuine strikes and copyright claims appear directly inside YouTube Studio, under the Content or Copyright section of your channel dashboard, and are also visible when you sign in normally without clicking any external link. If nothing appears there matching the claimed violation, the email is fraudulent regardless of how convincing it looks.
Always check the address bar carefully before entering Google credentials anywhere — the genuine sign-in domain is accounts.google.com exactly, with no extra words, hyphens, or subdomains. Never enter a two-factor code on any page you reached by clicking a link in an email; only enter it after navigating to Google directly yourself.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- YouTube creators
- Channels with monetisation enabled
- Channels with large subscriber counts
What to do immediately
- Do not click the link — log in to YouTube Studio and Google account settings directly to check for genuine notices
- If you entered your password, change it immediately at accounts.google.com and review recent security activity
- Never share a two-factor code with anyone or enter it on a page you reached via an email link
- Check YouTube Studio for unauthorised changes to your channel name, uploads, or monetisation settings
- Use Google's account recovery process immediately if you have already been locked out
- Report the phishing email to Google and to YouTube's official support channels
How to prevent it
- Check for genuine strikes and copyright claims only inside YouTube Studio, never through an emailed link
- Use an authenticator app rather than SMS for two-factor authentication where possible, since app codes are not time-sensitive to a live phishing relay in the same way
- Never enter a Google password or verification code on a page reached via a link in an unsolicited email
- Enable Google's Advanced Protection Program for high-value creator accounts
- Bookmark YouTube Studio and Google account settings so you never need to click an external link to reach them
- Regularly review your Google account's connected devices and recent security activity
- Set up account recovery options in advance so regaining access is faster if a takeover does occur
Evidence to preserve
- The full original email including headers showing sender address and routing
- Screenshot of the phishing sign-in page and its exact URL
- Screenshots of any unauthorised changes made to your channel or Google account
- Timestamps of when the email arrived and when access was lost
- Any recovery correspondence with Google/YouTube support
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I know if a YouTube strike email is real?
Log in to YouTube Studio directly, without clicking any link, and check the Content or Copyright section of your dashboard. A genuine strike will always be visible there. If the email describes something you cannot find in your real dashboard, it is fraudulent.
My channel was taken over and renamed. Can I get it back?
Use Google's official account recovery process as soon as possible, since the longer an attacker holds the account, the more changes they can make. Document everything and report the takeover to both Google and YouTube support, referencing your original channel details.
Why does entering a two-factor code matter so much if I already gave my password?
A password alone is often not enough to log in if two-factor authentication is enabled. Scammers need the live code to complete the login in real time, which is why phishing pages are designed to request it immediately, before the code expires.