Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It

A highly convincing phishing scam targeting Google account users is making the rounds. It starts with an email that appears to come from Google—often a “security alert” or “unusual sign-in attempt” notice—and leads to a login page that looks identical to the real Google sign-in screen. If you enter your credentials, attackers capture them and gain full access to your Gmail, Drive, and any linked services.

This is not a hypothetical risk. Multiple outlets, including Reader’s Digest, have reported that the fake page is so well crafted that even experienced users have trouble telling it apart from the real thing. The scam relies less on technical sophistication and more on social engineering: the email creates urgency, and the fake page mimics Google’s interface down to the logo and layout.

What’s actually happening

The typical flow looks like this:

  1. You receive an email with a subject like “Google Security Alert – Unusual Sign-In Attempt” or “Your account will be suspended unless you verify now.”
  2. The email contains a link that leads to a page that looks exactly like accounts.google.com—but the URL is slightly different. Common tricks include accounts-go0gle.com, accounts.google.security.com, or a subdomain that looks plausible at first glance.
  3. The page asks for your email address and password. Once you submit, the attackers immediately steal that data and often redirect you to the real Google site so you don’t suspect anything.

Some variations also ask for your phone number or two-factor authentication code in real time, allowing the scammers to bypass 2FA if you enter it on their page.

Why it matters

Your Google account is often the master key to your digital life. Gmail, Google Drive, YouTube, Google Photos, and any Android device you own are tied to it. If an attacker takes over, they can read your emails, reset passwords for other services (banking, social media, shopping), and even use your account to send phishing emails to your contacts. Some victims have reported losing access to decades of personal data and struggling for weeks to recover their accounts.

The scam is particularly dangerous because it doesn’t rely on obvious misspellings or low-quality graphics. The fake login page often uses a valid SSL certificate (the padlock icon in the browser bar) and a domain that includes “google” somewhere in the name. That green padlock only tells you the connection is encrypted, not that the site is legitimate.

How to spot the fake – and what to do if you clicked

If you receive an unexpected security email, do not click any links. Instead, open a new browser tab and go directly to https://myaccount.google.com/security or https://accounts.google.com. Never sign in from a link in an email.

Here are concrete verification steps:

  • Check the URL carefully. The real Google login page always starts with https://accounts.google.com/. Look for hyphens, extra words, or misspellings before “google.com.” For example, accounts-google.com or google-security-alert.com are red flags.
  • Look for urgency. Google rarely asks you to verify your account via email unless you’ve triggered a known security event (and even then, they provide a link to your account dashboard, not a login page). If the email threatens suspension or immediate action, treat it as suspicious.
  • Hover over links before clicking. On a desktop, hover your mouse over any button or link in the email. The actual destination URL will appear in the status bar or as a tooltip. If it doesn’t match accounts.google.com, don’t click.
  • Use a password manager. Password managers autofill credentials only on the exact website you’ve saved them for. If the fake page doesn’t match the saved URL, the manager won’t fill in your password—a strong behavioral signal.

If you already clicked and entered your credentials, act immediately:

  1. Change your password at https://accounts.google.com/signin/recovery. Do this from a trusted device, not the same browser you used for the scam page.
  2. Enable two-factor authentication if you haven’t already. Use an authenticator app (like Google Authenticator or Authy) rather than SMS, which can be intercepted.
  3. Check recent account activity. Go to https://myaccount.google.com/security-checkup to review recent sign-ins, linked devices, and recovery options. Remove any devices you don’t recognize.
  4. Revoke access to third-party apps. Visit https://myaccount.google.com/permissions and remove any apps that look unfamiliar.
  5. Run a full security checkup using Google’s official tool at https://g.co/securitycheckup. It will walk you through account settings and flag anything unusual.

Additional precautions going forward

  • Enable phishing alerts in Chrome (Settings > Privacy and security > Security > Use secure DNS). Chrome will warn you if you try to visit a known phishing site.
  • Never enter your Google password on a page you reached through an email link. Bookmark the real login page or type it manually.
  • If you receive a suspicious email, report it as phishing within Gmail (click the three dots next to the message and select “Report phishing”). This helps Google block similar attempts for other users.

This scam is effective because it preys on our habit of acting quickly when we see an official warning. The best defense is a moment of pause: verify the URL, ignore the urgency, and always navigate to Google’s website on your own terms.

Sources

  • Reader’s Digest, “Warning! This New Google Scam Looks Totally Legit—But Whatever You Do, Don’t Click on It,” April 2026.
  • Google Security Checkup: https://g.co/securitycheckup
  • General phishing guidance from Google’s official support documentation.