How to Spot a New Google Scam That Looks Totally Legit

A convincing new phishing campaign is targeting Google users with alerts that appear to come directly from Google. The scam, recently reported by Reader’s Digest, sends notifications warning of suspicious account activity or a security breach. The email or text looks nearly identical to legitimate Google security alerts, including official logos and formatting. But the goal is to steal your login credentials.

What Happened

The scam works by sending a message that claims Google detected unusual sign‑in attempts. It urges you to click a link to “review recent activity” or “secure your account.” The link leads to a fake login page that mimics Google’s real sign‑in screen. If you enter your email and password, the information is captured by scammers.

What makes this particular campaign dangerous is the quality of the imitation. The phishing page uses a real Google domain in some cases (through open redirects or subdomain tricks) or a very similar‑looking URL. Even careful users can be fooled.

Why It Matters

Once scammers have your Google credentials, they can access Gmail, Google Drive, Google Photos, and any linked services. They may use your account to send phishing emails to your contacts, reset passwords on other sites, or steal personal information. Because many people reuse passwords across services, a single compromised Google account can lead to a cascade of security issues.

Google’s own security systems catch many phishing attempts, but this variant has been circulating widely and has slipped past some filters. The best defense is your own awareness.

What Readers Can Do

  1. Never click links in unsolicited security alerts. If you receive an email or text claiming suspicious activity, do not click any button or link. Instead, open a browser and go directly to your Google Account page (myaccount.google.com) or the Security Checkup (myaccount.google.com/security-checkup). If there is a real problem, you will see it there.

  2. Check the sender address carefully. Legitimate security emails from Google come from addresses ending in @google.com – not @google.xyz.com or any variation. Even then, scammers can spoof display names. Hover over the sender name to see the actual address.

  3. Look for poor grammar or urgency. Phishing messages often create false urgency (“your account will be suspended in 24 hours”) and may contain small typos or awkward phrasing. But this new scam is polished, so don’t rely on grammar alone.

  4. Enable two‑factor authentication (2FA). If you haven’t already, turn on 2FA for your Google account. This adds a second step (a code from an authenticator app or a prompt on your phone) when signing in. Even if a scammer gets your password, they cannot access your account without that second factor.

  5. Use a password manager. Password managers can automatically fill credentials only on the correct website. If you land on a phishing page, the manager won’t recognize the URL and won’t autofill. This is a strong practical safeguard.

  6. Report the scam. If you receive a suspicious email claiming to be from Google, forward it to [email protected]. On Android or in Gmail, you can mark the message as phishing. This helps Google improve its filters.

Sources

  • Reader’s Digest, “Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It” (April 30, 2026)
  • Google’s own security pages: myaccount.google.com/security-checkup

Stay cautious. The best habit is to treat any unexpected security notification as a red flag until you verify it through a trusted path.