A New Google Scam Looks Real — Here’s How to Spot It and Avoid Getting Tricked

If you use Gmail, Google Drive, or any Google service, you may soon receive an email or see a pop-up that looks exactly like an official Google message. It will ask you to verify your account, re-enter your password, or click a link to resolve a security issue. The design will be convincing. The logo will be correct. And that’s the problem — the message is a fake.

According to a report from Reader’s Digest (April 30, 2026), a wave of this Google-impersonating phishing scam is currently circulating. The goal is to steal your login credentials and gain access to your Google account. Here is what is happening and how to keep your account safe.

What’s happening

The scam typically arrives as an email that appears to come from Google. It may claim there is suspicious activity on your account, that your storage is full, or that you need to verify your identity to avoid losing access. A link in the email leads to a page that looks almost identical to the real Google login screen. If you enter your email and password, the attackers capture them immediately.

The same technique can appear as a browser pop-up or a notification on your phone. In some cases, the scammers use a fake “Sign in with Google” button embedded in a third-party site. Because the imitation is so close — matching fonts, logos, and color schemes — many people do not notice anything is wrong until it is too late.

Why it matters

A compromised Google account gives an attacker access to your email, documents, photos, and any other service connected to that account, including YouTube, Google Drive, and Google Pay. They can reset passwords for other online accounts, impersonate you to your contacts, or steal sensitive information.

This type of scam is not new, but its current iteration is especially polished. The fake login pages use HTTPS certificates (the padlock icon) and URLs that contain “google” somewhere in the address, which can fool quick glances. Reader’s Digest also notes that similar phishing tactics have been used against Evite users and people searching for rental apartments, showing that scammers are borrowing successful methods across platforms.

How to protect yourself

You can avoid this scam without much effort if you know what to look for.

  • Check the URL. Before entering any password, look at the web address. If it is not exactly accounts.google.com (or myaccount.google.com), do not proceed. Scammers often use addresses like accounts-google-security.com or google-verify.account-update.com. The domain before the first slash is what matters.
  • Be suspicious of urgent language. Google rarely sends emails that demand immediate action or threaten account closure. If a message pressures you to click quickly, that is a warning sign.
  • Hover before you click. On a desktop, hover your mouse over any button or link in the email. The real destination appears in the bottom-left corner of your browser. If it does not match a Google domain, do not click.
  • Go directly to the website. Instead of clicking a link in an email, open a new browser tab and type myaccount.google.com manually. Check for any alerts or notifications there. If Google really needs something from you, it will appear when you log in properly.
  • Enable two‑factor authentication (2FA). This is the single most effective protection. Even if someone steals your password, they cannot log in without the second factor — usually a code sent to your phone or generated by an authenticator app. To turn it on, go to your Google Account settings, find “Security,” and follow the setup steps under “2-Step Verification.”
  • Use a password manager. Password managers can automatically fill in credentials only on the correct website. If you land on a fake login page, the manager will not offer to fill anything, which is a clear warning that something is wrong.

If you already clicked

If you realize you entered your Google credentials into a fake page, act immediately.

  1. Change your Google password. Do this from a trusted device and a clean browser session.
  2. Sign out of all other sessions. In your Google Account settings, choose “Sign out of all other web sessions.” This will kick the attacker out of any session they may have started.
  3. Revoke access to third-party apps that you don’t recognize. Go to the “Security” section and click “Manage third-party access.” Remove anything suspicious.
  4. Check your recovery email and phone number. Make sure the attackers have not added their own contact methods.
  5. Run a security checkup. Google offers a built-in Security Checkup that walks you through the most important settings. You can find it at myaccount.google.com/security-checkup.

Report the scam

If you receive a phishing email, forward it to [email protected]. Google uses these reports to help block future attacks. You can also report the scam to the Federal Trade Commission (FTC) at reportfraud.ftc.gov.

Staying safe online does not require advanced technical skills. It requires a moment of pause before clicking. If something feels off, trust that feeling. Your Google account is worth the extra second it takes to verify the page you are on.

Sources

  • Reader’s Digest, “Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It,” April 30, 2026.
  • Google Account Help, “Avoid and report phishing emails.” (accounts.google.com/help)
  • Federal Trade Commission, “How to Recognize and Avoid Phishing Scams.” (consumer.ftc.gov)