Did Google detect suspicious activity? Tell a real security alert from phishing
Google really does send these alerts — which is exactly why fake ones are so convincing.
Google does send legitimate alerts when it detects an unusual sign-in or a security change on your account, and criminals copy the look of those exact warnings to lead you to a credential-stealing page. A fake message might say "unusual activity detected," "suspicious sign-in blocked," or "your account will be suspended" — and the visual difference from a real alert can be almost nothing. Google recommends checking your account directly and reviewing your recent security activity rather than trusting the email, and provides a dedicated channel for reporting phishing emails in Gmail.
The reason this particular scam works so well is structural: Google account alerts are one of the very few automated emails most people are trained to take seriously and act on quickly, since a real one really can mean someone else is trying to get into your inbox, your photos, and often your recovery path for every other account tied to that email address. Attackers know that urgency plus a security framing tends to override the skepticism people apply to more obviously commercial phishing emails. The fix isn't to distrust every Google email by default — it's to consistently route around the email entirely and check the same information at the source, every single time, regardless of how convincing or plain the message looks.
How to verify the alert
Don't use the button inside the message. Instead, type myaccount.google.com into your browser directly, or open account settings from within Gmail itself. Review your recent security activity, the list of your devices, any third-party app access, your recovery methods, and Gmail's forwarding rules and filters, then look for sessions you don't recognize. If the flagged event actually appears, confirm whether it was really you; if it doesn't appear at all, that's a strong sign the email itself was the attack.
Warning signs of a phishing version
- The link doesn't actually lead to a Google-owned domain
- A third-party page asks for both your password and a verification code together
- The message threatens account closure within just a few hours
- It asks you to install an app or a certificate
- It requests payment for "account security"
- The display name says Google but the real sending address is different
- A password manager doesn't recognize the domain as a saved login
- The flagged activity is absent when you check the account directly
Never send a Google verification code to anyone, even someone claiming to be support — a criminal can start a real sign-in attempt with your password, then call you afterward asking for the code under the pretense of "canceling" the suspicious login. Sharing that code hands them access.
It also helps to understand why the phone-call version of this scam specifically targets a verification code rather than just a password. A password alone is often not enough to get into an account protected by two-step verification, so an attacker who already has your password from an unrelated breach still needs the second factor to finish signing in. That's the entire purpose of the follow-up call: to get you, in the moment, to hand over the one piece of information that would otherwise have stopped them. Recognizing that a code request is the actual goal — not a side detail — makes it much easier to refuse on the spot, no matter how the caller frames the request.
If the activity is real and wasn't you
Change your password immediately to a strong, unique one you haven't used elsewhere. Sign out of any sessions you don't recognize. Remove unfamiliar devices and third-party app access. Enable two-step verification if it isn't already on. Inspect Gmail specifically for forwarding rules or filters that might be silently hiding incoming messages from you — a common tactic once an account is compromised.
The same logic applies well beyond Google specifically — any account offering two-step verification is protected by the same principle, and any message asking you to read out or type in a code somewhere other than the service you're actually signing into should be treated the same way, regardless of which brand's name or logo appears on it. Learning to recognize the shape of this specific attack, rather than memorizing one company's version of it, is what actually transfers to the next platform that gets targeted.
If you already entered information on the fake page
From a different, trusted device, change your Google password first, then update any other passwords you'd reused elsewhere. Review your account's security activity, active sessions, recovery methods, and Gmail settings for anything unfamiliar. If you also entered payment information, contact your bank or card issuer right away. Report the original email as phishing directly inside Gmail.
Quick checklist
- Never click the button inside an unexpected security alert email
- Check activity by typing myaccount.google.com yourself
- Never share a verification code with anyone, ever
- Enable two-step verification if you haven't already
- Review Gmail forwarding rules and filters after any suspicious activity
- Report phishing emails directly through Gmail's built-in tool
