A New Google Scam Looks Surprisingly Real – Here’s How to Avoid It

If you use Gmail, Google Drive, or any other Google service – and most of us do – there’s a new phishing scam circulating that’s worth understanding. According to a recent report from Reader’s Digest, the fraudsters have refined their approach. The fake emails and pop-ups look convincingly like real Google messages, and even people who are normally careful have been tricked.

What Happened

The scam typically starts with an email or a browser notification that claims there’s a problem with your account. Common messages include “Suspicious sign-in attempt detected,” “Your account will be suspended in 48 hours,” or “You need to verify your recovery information.” The branding, fonts, and layout all mimic official Google communications.

If you click the link, you’re taken to a page that looks exactly like the Google sign-in screen. But it’s a fake. Any credentials you enter go straight to the scammers. Some versions of the scam even use URLs that start with accounts.google.com but include a subtle redirect or a deceptive subdomain. The goal is to steal your email password and, from there, gain access to other accounts linked to that email.

The report notes that these attacks have become harder to spot because the fake login pages now load quickly and sometimes bypass security warnings that browsers typically show for known phishing sites. This isn’t a theoretical risk – it’s a campaign that’s actively hitting inboxes.

Why It Matters

Phishing remains one of the most effective methods for cybercriminals. According to the FBI’s Internet Crime Complaint Center, phishing was the most common cybercrime in 2024, with losses in the billions. A stolen Google account can give an attacker access to your emails, documents, saved passwords in Chrome, and even your Google Pay information. They can also use your account to send phishing emails to your contacts, spreading the scam further.

Because this particular version looks so legitimate, the usual advice to “just look at the URL” isn’t always enough. The scam relies on psychological pressure – urgency and fear of losing your account – to make you act before you think. That’s why understanding the specific warning signs is so important.

What Readers Can Do

Red flags to watch for:

  • The sender address. Genuine Google security emails always come from addresses ending in @google.com. Be suspicious of @google-security.com, @accounts-support.net, or any variation. Hover over the sender name to see the actual email address.
  • Urgent language threatening account closure. Google rarely, if ever, sends emails that demand immediate action or threaten suspension without warning. If you’re unsure, open a new browser tab and go directly to myaccount.google.com – never click the link in the message.
  • Requests for your password. Google will never ask for your password via email, pop-up, or phone call. Any message that does is a scam.
  • Mismatched or odd URLs. Even if the link appears to start with accounts.google.com, scroll to see the full address. Phishers often use redirects or add characters like accounts.google.com.security-check.xyz. If in doubt, type the address manually.

What to do if you already clicked and entered your password:

  1. Change your Google password immediately. Use a strong, unique password you haven’t used elsewhere.
  2. Enable two-factor authentication (2FA) if you haven’t already. Google Authenticator or a hardware security key are more secure than SMS codes.
  3. Review recent account activity at myaccount.google.com/security. Look for login attempts from unfamiliar locations or devices.
  4. Check your Gmail filters and forwarding rules – scammers sometimes set up automatic forwarding to steal future messages.
  5. Report the phishing email to Google by forwarding it to [email protected].

Proactive protection:

  • Use a password manager. It will automatically fill in credentials only on the real site, so a fake login page won’t auto-fill – a strong visual signal that something is wrong.
  • Turn on Google’s Advanced Protection Program if you’re at higher risk (e.g., journalists, activists, or people in sensitive roles).
  • Regularly check your list of trusted devices and connected apps at myaccount.google.com/security. Remove anything you don’t recognize.

Sources

  • Reader’s Digest, “Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It,” April 30, 2026.
  • Google Safety Center, “Recognize and avoid phishing messages, phony support calls, and other scams,” support.google.com.

Stay alert. The best defense is a moment of hesitation before clicking. If an email feels off, it probably is.