“Critical security alert.” “New sign-in on Windows.” Google really does send these — and scammers copy them almost perfectly. If one just landed in your inbox, here’s how to tell the genuine Google alert from the fake, and the safest way to check.
Published 9 July 2026 · ~7 min read · By the Phixo team
An email arrives with a familiar red banner: “Critical security alert” or “New sign-in on Windows.” It says Google noticed a login you might not recognise and asks you to review the activity. Your pulse quickens — is someone in your account right now?
Here’s what makes this one genuinely hard: Google does send emails exactly like this. A real new-device sign-in generates a near-identical message. That’s precisely why phishers imitate the Google security alert so heavily — you’ve been trained to trust it. The good news is that real Google alerts follow consistent rules, and fakes almost always break at least one. Here’s how to check in under a minute.
Treat a Google security alert as fake if any of these are true: it comes from an address that isn’t on google.com or accounts.google.com, it threatens to delete or suspend your account within hours, it asks you to “confirm” your password or payment details, or it carries an attachment. The single most reliable move: don’t click anything in the email. Open a fresh tab, type myaccount.google.com yourself, and check your security activity there. If a real sign-in happened, it will be listed. If the email’s warning isn’t reflected in your account, the email is the fake — not the login.
Knowing the genuine pattern makes the fakes stand out:
Important nuance: receiving a real “new sign-in” alert doesn’t always mean you were hacked. It often fires when you log in on a new phone, a new browser, or after clearing cookies. The alert itself is normal — the danger is a fake one pushing you to a lookalike login page.
The display name — “Google,” “Google Accounts,” “Google Security Team” — is trivial to fake. The address behind it is harder. Tap or click the sender name to reveal the full address and read the part after the @.
Real Google alerts come from google.com (typically no-reply@accounts.google.com). Anything with extra words bolted on — google-account-security.com, secure-google.info — is a lookalike, no matter how perfect the logo and colours look.
“Your account will be permanently deleted in 24 hours.” “Verify now or lose access.” Real Google alerts don’t work this way — they tell you what happened and let you review it in your own time. Fear that overrides thought is the engine of the attack. If a message is racing you toward a button with a ticking clock, that pressure is the red flag.
Before clicking, hover over the button (or press and hold on mobile) to preview the true destination. The text may read “Review activity” while the real link points somewhere else entirely.
A genuine Google alert link lives on google.com — the review page is myaccount.google.com. If the destination is a different domain, a shortened URL, or a raw IP address, don’t click.
The sharpest fakes use domains built to survive a quick glance — a technique called typosquatting, often using homoglyphs (characters that look identical but aren’t).
When a domain almost looks right, read it again character by character — especially on a phone, where the address bar is short and easy to skim. Remember: the real security page is always a subdomain of google.com (accounts.google.com, myaccount.google.com), never google.com with a word hyphenated onto the end.
The entire purpose of a phishing page is to capture what you type. A real Google alert only asks you to look. Any “security alert” that routes you to a form for your password, a verification code, or card details should be treated as hostile. Google doesn’t collect those through an alert email.
A “security report,” a “sign-in log,” an “account statement” — attachments are a classic malware delivery method, and Google never attaches files to security alerts. Be wary of .zip, .html, and Office files that ask you to “enable content.” If a security alert arrives with a file, that alone tells you it’s fake.
Every sign above helps, but there’s one move that beats all of them because it removes the email from the equation entirely: go to your Google Account yourself.
If the email’s warning isn’t reflected in your account, the email is the fake — not the login. And if you do see a sign-in you don’t recognise, you can sign it out and secure your account from that same page, without ever touching the email.
This one habit — verify by going to the source, never by following the message — defends you against nearly every brand-impersonation scam, not just Google’s. It’s the same principle behind spotting a fake Amazon “account suspended” email.
Two things make the Google security alert an unusually effective lure. First, it’s a real email you already trust — unlike a random “you won a prize” message, you’ve seen the genuine version and clicked it before. Second, the emotion it triggers is protective, not greedy: the fear that someone is already inside your account makes you want to act right now, which is exactly when careful judgement slips.
A convincing fake will copy Google’s exact layout, colours, and wording. That’s why appearance is the wrong thing to judge on. The reliable tells — the sender domain, the true link destination, and whether the same activity shows up when you log in directly — are the things a scammer can’t fake by copying a template. If you want to read the technical trail an email leaves behind, our free email header analyzer shows you where a message actually came from and whether it passed Google’s own authentication checks.
Don’t panic — act quickly. Go to myaccount.google.com directly (not through the email) and:
We’ve written a calm, step-by-step guide for exactly this moment: what to do if you clicked on a phishing link. And to get sharper at catching these before they catch you, see the 8 warning signs of a phishing email.
Yes. Google genuinely emails you when it notices a new sign-in, a login from a new device or location, or another security-relevant change — usually from no-reply@accounts.google.com. Real alerts are plainly designed, don’t threaten to delete your account, and link only to myaccount.google.com. Because these real alerts are so common, scammers copy them closely.
A real Google alert comes from a google.com address, uses calm wording, never asks for your password or payment, and links only to myaccount.google.com. Treat it as fake if the sender domain is anything else, if it threatens to delete your account within hours, if it asks you to confirm a password or card, or if it carries an attachment. The safest check is to ignore the email’s links and open myaccount.google.com yourself.
Don’t click anything in the email. Open a new tab, type myaccount.google.com yourself, sign in, and open Security → Recent security activity and Your devices. If a genuine new sign-in happened, it will be listed there. If the email’s warning isn’t reflected in your account, the email is the fake, not the login.
Phixo is a browser extension that checks the email open in your Gmail or Outlook against several of the signals above — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, and flags anything suspicious in seconds. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.
Install Phixo free →Your email body is never stored. Analysis happens in real time and is discarded immediately.