Fake Gmail Security Alerts Prompt Users to Reset Passwords via Email and Phone
Published
- Fake Google support: Hackers impersonating Google email and phone targets to warn of unauthorized account access.
- Account takeover: Victims are guided through a process to reset their passwords, which ultimately provides the attacker with the credentials.
- Vigilance is key: It’s important to note that Google would never contact you and request sensitive information such as security codes.
A wave of fake Gmail security alerts has surfaced, targeting users worldwide with deceptive emails and phone scams. These sophisticated phishing scams exploit users' trust in Google security, aiming to steal login credentials and take control of personal accounts. Â
How the Scam Works Â
Scammers impersonate Google support and send alarming security notifications that require security confirmations, often claiming that an unauthorized login attempt has been made on the user’s account, according to Malwarebytes and a report by Forbes. Â
Victims are urged to reset their passwords via a suspicious recovery process. To further build credibility, the attacker might send a password reset email and request authentication codes over the phone, creating an illusion of legitimacy. Â
These real-time interactions allow scammers to bypass multi-factor authentication (MFA) barriers, effectively seizing the victim's Google account security.Â
One Reddit user reported being asked to accept a confirmation prompt that cybercriminals send to the user’s phone while the hackers are on the phone with the victim, which would allow account takeover.Â
Sometimes the targets are urged to verify the caller's legitimacy by checking a fake caller ID—an advanced tactic that exemplifies the degree of planning behind these phishing scams.
Risks and Implications Â
Falling for these scams gives attackers immediate access to Gmail accounts, enabling further exploitation like identity theft, financial fraud, or unauthorized access to sensitive data stored in linked accounts.Â
The attacks are deceptive and often seem authentically tied to Google, leaving users vulnerable to email fraud prevention failures without proper scrutiny. Â
Recently, TechNadu reported that a Gmail voicemail phishing scam uses malicious CAPTCHA on fake websites to steal user credentials. This month, Google admitted the ShinyHunters ransomware actors successfully compromised a Google Salesforce database.
In July, reports mentioned that phishing attacks surged in 2025, impersonating financial institutions and payment platforms.
Protecting Yourself Â
To avoid falling victim to these scams:
- Verify all security alerts directly through your Google account’s Security Activity page. Â
- Never share authentication codes or passwords with anyone, even if they claim to represent Google.  Â
- Be cautious of unsolicited calls or emails prompting immediate action.   Â
- Enable multi-factor authentication (MFA) and regularly update passwords for added protection. Â
By staying vigilant and following official communication channels, users can safeguard their accounts against these phishing scams. Always remember—Google will never call you or ask for codes over the phone.Â
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular