How to Spot the New Google Phishing Scam That Looks Totally Real

You open your inbox, and there it is: a message from Google warning about suspicious activity on your account. The logo is correct, the layout looks just like every other email from Google, and the language sounds official. Most people would click the “Secure your account” button without a second thought.

Don’t.

A convincing new phishing scam is making the rounds, as reported by Reader’s Digest on April 30, 2026. It looks so legitimate that even careful users are almost fooled. Here’s what’s happening and how to keep your account safe.

What Happened

The scam works like this: an email arrives that appears to be from Google. It typically says something like “Unusual sign-in detected” or “Your account may be compromised.” The email includes a button or link urging you to verify your account or change your password immediately. Everything from the typeface to the Google logo looks authentic.

But the email is fake. The sender address is not truly from google.com—it may contain subtle misspellings (e.g., “googlesecure.com” or “account-google.co”) or be hidden behind a display name that only looks correct. The link, if you hover over it without clicking, leads to a page that mimics Google’s login screen. If you enter your credentials there, the attackers capture them and can take over your account.

Reader’s Digest reported the scam after multiple readers flagged it. The sophistication of the forgery is what sets it apart: earlier phishing attempts often had obvious typos or poor formatting, but this one is polished.

Why It Matters

Phishing is one of the oldest tricks in the book, but it works because it exploits urgency and trust. When an email appears to come from a service you rely on daily, your instinct is to act fast. The stakes are high: a compromised Google account can expose your email, contacts, files in Drive, and even linked financial services like Google Pay.

What makes this wave especially dangerous is its realism. Many people assume they can spot a fake by looking for bad grammar or strange logos. That’s no longer reliable. The attackers have invested in making the email look identical to the real thing.

Also note: Google rarely, if ever, asks you to click a link in an email to reset a password or verify your account. The company typically sends in-app notifications or uses your recovery email with a generic message directing you to your account settings—not a call-to-action button.

What You Can Do

You don’t need to be a cybersecurity expert to stay safe. Follow these concrete steps whenever you receive an email about a security alert or account issue.

1. Check the sender address

Don’t just glance at the display name. Click the “From” field to reveal the full email address. Legitimate Google emails come from addresses ending in @google.com. Look for anything else—even @google.com.security-alerts.net is a red flag.

On desktop, hover your mouse over any button or link in the email. The actual destination URL will appear in a small pop-up or at the bottom of your browser window. If the address looks unfamiliar (e.g., google-accountverify.com), do not click.

3. Go directly to Google instead

If the email raises any doubt, open a new browser tab and visit myaccount.google.com directly. You can check for security alerts there without following the email’s link. If there is a real issue, you’ll see it in your account dashboard.

4. Enable two-factor authentication

Even if this scam doesn’t target you now, enable 2FA on your Google account. It adds a second layer of protection (like a code sent to your phone) that makes a stolen password useless to attackers.

5. Report the email

Forward the suspicious email to Google at [email protected] and then delete it. You can also mark it as spam in your email client to help protect others.

If You Already Clicked

Don’t panic, but act quickly:

  • Change your Google password immediately from a trusted device using a direct link to the account recovery page.
  • Check recent account activity under Security > Recent security events in your Google Account settings. Look for logins from unknown devices or locations.
  • Remove any unfamiliar devices signed into your account under Security > Your devices.
  • Run a review of connected apps and third-party services. Remove anything you don’t recognize.
  • Consider scanning your computer with a reputable antivirus tool in case the link also installed malware.

Sources

Main source: “Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It,” Reader’s Digest, April 30, 2026. Additional context from Google’s own phishing guidance (support.google.com).