How it works Detection Roadmap Pricing Blog Header Analyzer Phishing Quiz Install free
Security guide

Is that Google “security alert” email real or a scam?

“Critical security alert.” “New sign-in on Windows.” Google really does send these — and scammers copy them almost perfectly. If one just landed in your inbox, here’s how to tell the genuine Google alert from the fake, and the safest way to check.

Published 9 July 2026 · ~7 min read · By the Phixo team

An email arrives with a familiar red banner: “Critical security alert” or “New sign-in on Windows.” It says Google noticed a login you might not recognise and asks you to review the activity. Your pulse quickens — is someone in your account right now?

Here’s what makes this one genuinely hard: Google does send emails exactly like this. A real new-device sign-in generates a near-identical message. That’s precisely why phishers imitate the Google security alert so heavily — you’ve been trained to trust it. The good news is that real Google alerts follow consistent rules, and fakes almost always break at least one. Here’s how to check in under a minute.

The quick answer

Treat a Google security alert as fake if any of these are true: it comes from an address that isn’t on google.com or accounts.google.com, it threatens to delete or suspend your account within hours, it asks you to “confirm” your password or payment details, or it carries an attachment. The single most reliable move: don’t click anything in the email. Open a fresh tab, type myaccount.google.com yourself, and check your security activity there. If a real sign-in happened, it will be listed. If the email’s warning isn’t reflected in your account, the email is the fake — not the login.

Illustration of Phixo flagging a fake Google security alert email in Gmail: Critical Risk verdict, spoofed sender domain, generic greeting and pressure tactics detected
What this catch looks like (illustration): Phixo flags a fake “Critical security alert” in Gmail — the lookalike sender domain, generic greeting and pressure tactics earn a Critical Risk verdict. The warning text shown is Phixo’s real output for these signals.

What a real Google security alert looks like

Knowing the genuine pattern makes the fakes stand out:

Important nuance: receiving a real “new sign-in” alert doesn’t always mean you were hacked. It often fires when you log in on a new phone, a new browser, or after clearing cookies. The alert itself is normal — the danger is a fake one pushing you to a lookalike login page.

6 signs of a fake Google security alert

1. The sender domain isn’t google.com

The display name — “Google,” “Google Accounts,” “Google Security Team” — is trivial to fake. The address behind it is harder. Tap or click the sender name to reveal the full address and read the part after the @.

What you see vs. what’s really there From: Google Security Team
<no-reply@google-account-security.com>

Real Google alerts come from google.com (typically no-reply@accounts.google.com). Anything with extra words bolted on — google-account-security.com, secure-google.info — is a lookalike, no matter how perfect the logo and colours look.

2. Threats and a countdown

“Your account will be permanently deleted in 24 hours.” “Verify now or lose access.” Real Google alerts don’t work this way — they tell you what happened and let you review it in your own time. Fear that overrides thought is the engine of the attack. If a message is racing you toward a button with a ticking clock, that pressure is the red flag.

3. Links that don’t go to google.com

Before clicking, hover over the button (or press and hold on mobile) to preview the true destination. The text may read “Review activity” while the real link points somewhere else entirely.

The button lies Button text: Review your activity
Actual destination: http://g00gle-verify-login.com/secure

A genuine Google alert link lives on google.com — the review page is myaccount.google.com. If the destination is a different domain, a shortened URL, or a raw IP address, don’t click.

4. A lookalike domain

The sharpest fakes use domains built to survive a quick glance — a technique called typosquatting, often using homoglyphs (characters that look identical but aren’t).

Spot the difference g0ogle.com  (a zero, not an “o”)
accounts-google.com  (a hyphen, not a real subdomain)
google-security-alert.com  (extra words bolted on)

When a domain almost looks right, read it again character by character — especially on a phone, where the address bar is short and easy to skim. Remember: the real security page is always a subdomain of google.com (accounts.google.com, myaccount.google.com), never google.com with a word hyphenated onto the end.

5. It asks you to “confirm” your password or payment

The entire purpose of a phishing page is to capture what you type. A real Google alert only asks you to look. Any “security alert” that routes you to a form for your password, a verification code, or card details should be treated as hostile. Google doesn’t collect those through an alert email.

6. An unexpected attachment

A “security report,” a “sign-in log,” an “account statement” — attachments are a classic malware delivery method, and Google never attaches files to security alerts. Be wary of .zip, .html, and Office files that ask you to “enable content.” If a security alert arrives with a file, that alone tells you it’s fake.

The single safest way to check

Every sign above helps, but there’s one move that beats all of them because it removes the email from the equation entirely: go to your Google Account yourself.

  1. Don’t click any link or button in the email.
  2. Open a new browser tab and type myaccount.google.com by hand (or use a bookmark you trust).
  3. Sign in, then open Security.
  4. Check Recent security activity and Your devices. A genuine new sign-in will be listed there with the device and rough location.

If the email’s warning isn’t reflected in your account, the email is the fake — not the login. And if you do see a sign-in you don’t recognise, you can sign it out and secure your account from that same page, without ever touching the email.

This one habit — verify by going to the source, never by following the message — defends you against nearly every brand-impersonation scam, not just Google’s. It’s the same principle behind spotting a fake Amazon “account suspended” email.

The 30-second Google alert check

Why these fakes fool careful people

Two things make the Google security alert an unusually effective lure. First, it’s a real email you already trust — unlike a random “you won a prize” message, you’ve seen the genuine version and clicked it before. Second, the emotion it triggers is protective, not greedy: the fear that someone is already inside your account makes you want to act right now, which is exactly when careful judgement slips.

A convincing fake will copy Google’s exact layout, colours, and wording. That’s why appearance is the wrong thing to judge on. The reliable tells — the sender domain, the true link destination, and whether the same activity shows up when you log in directly — are the things a scammer can’t fake by copying a template. If you want to read the technical trail an email leaves behind, our free email header analyzer shows you where a message actually came from and whether it passed Google’s own authentication checks.

What if you already clicked or entered your details?

Don’t panic — act quickly. Go to myaccount.google.com directly (not through the email) and:

  1. Change your password straight away, and make the new one unique to Google.
  2. Turn on 2-Step Verification if it isn’t already on — this stops a stolen password from being enough on its own.
  3. Review Recent security activity and Your devices under Security, and sign out anything you don’t recognise.
  4. Check Third-party apps with account access and remove anything unfamiliar.
  5. Change the password anywhere you reused it. If that Google password protected other accounts, treat them as exposed too.

We’ve written a calm, step-by-step guide for exactly this moment: what to do if you clicked on a phishing link. And to get sharper at catching these before they catch you, see the 8 warning signs of a phishing email.

Frequently asked questions

Does Google really send security alert emails?

Yes. Google genuinely emails you when it notices a new sign-in, a login from a new device or location, or another security-relevant change — usually from no-reply@accounts.google.com. Real alerts are plainly designed, don’t threaten to delete your account, and link only to myaccount.google.com. Because these real alerts are so common, scammers copy them closely.

How can I tell if a Google security alert is real or fake?

A real Google alert comes from a google.com address, uses calm wording, never asks for your password or payment, and links only to myaccount.google.com. Treat it as fake if the sender domain is anything else, if it threatens to delete your account within hours, if it asks you to confirm a password or card, or if it carries an attachment. The safest check is to ignore the email’s links and open myaccount.google.com yourself.

What is the safest way to check?

Don’t click anything in the email. Open a new tab, type myaccount.google.com yourself, sign in, and open Security → Recent security activity and Your devices. If a genuine new sign-in happened, it will be listed there. If the email’s warning isn’t reflected in your account, the email is the fake, not the login.

Not sure about an email? Let Phixo check it

Phixo is a browser extension that checks the email open in your Gmail or Outlook against several of the signals above — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, and flags anything suspicious in seconds. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.

Install Phixo free →

Your email body is never stored. Analysis happens in real time and is discarded immediately.