Google impersonation scam targets Gmail and Google Pay users

Scammers are cleverly combining emails and phone calls to con their way into your Google accounts
Lauren Merryweather

Scam callers impersonating Google are manipulating Google users into handing over access to their accounts, including Gmail and Google Pay.

The fraudsters use a combination of emails and convincing phone calls to trick victims into giving out security codes which are meant to protect accounts from hackers. This tactic is known as spear-phishing.

Here, we take a look at how this scam works and what you can do to protect yourself from it. 

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

How the Google impersonation scam works

The scam starts off by triggering security alert emails to a Google user, warning them that someone is trying to access their account from an unrecognised device or location. 

The scammers do this by attempting to log into your Google account multiple times using your email address and either a real password or an incorrect one. 

Google automatically recognises when someone is trying to access your account from a different location than usual or using a different device. It usually blocks the login attempt, even if the correct password is used, and sends you an alert or notification to check if it was really you trying to sign in.

The emails are followed up shortly afterwards by phone calls from fraudsters claiming to be from Google’s ‘security team’. They’ll ask if you’ve received the email warnings and explain your account is being hacked.

The scammers explain that in order to confirm your identity and secure your account, they’ll send you an email or text verification code which you need to give them.

At the same time, they request an account reset from Google using your email address. This triggers a security code to be sent to your phone or a backup email address, which they'll claim you need to tell them the code so they can confirm your identity and secure your account.

If you give the code to the scammers, it allows them to use it in combination with your email address to gain access to your account.

Once they’ve gained access to your account, they end the call and lock you out of your Google account so you can no longer access it.

Why scammers want your Google account

To pull off this scam, fraudsters will usually already have your email address and phone number, and sometimes even your password, possibly from a previous phishing email they’ve targeted you with or an online data breach

They're looking to gain access to personal information such as payment details, emails and contact lists. They can use this information about you and your contacts list, to carry out further scams more convincingly. 

One way they might do this is by emailing your contacts and asking them to send money, often saying you need cash in an emergency. The email will appear to be from you, and your close contacts may be duped into sending money via bank transfer or gift cards.

Sometimes, criminals may use your account as cover for making money transfers or setting up online advertising for other scams, such as shopping scams or investment fraud.

In some cases, the scammers have also asked the account owner for ransom money to return access to the account.

It’s unlikely scammers will be able to steal money from you through your Google account, because of additional security measures used by Google Pay.

What to do if your Google account has been accessed

Try using the Google Account Recovery tool to get your account back. The tool can be used if your password or other login details have been changed by scammers.

Use the tool using a device such as a computer or mobile that you would usually use to log into your Google account. Google can recognise devices regularly used with your account, and will next take you through steps to further verify your identity and regain access to your account.

Although it’s unlikely the scammers will be able to use your Google Pay account, it’s worth contacting your bank if you have any card, banking or other payment details saved anywhere in your Google account so they can take steps to protect your money.

If scammers have stolen money from you or have used your account to scam someone else, you should report it to your payment provider. You should also report the scam to Action Fraud or police on 101 if you live in Scotland.

You should also report the scam if you’ve been asked for money in return for getting access to your account back.

Four ways to protect yourself from this Google account scam

  1. Never give security codes or passwords for your Google account - or any other accounts - to anyone. 
  2. Make sure two-factor authentication is set up on all your important accounts, or use an authenticator app. Although scammers can sometimes manipulate their way through this by persuading victims to hand over security codes, using authentication creates more steps for them to overcome in order to gain access to your accounts. 
  3. Check the email address of any security alert emails you receive out of the blue from Google. Most will be sent from no-reply@accounts.google.com. If the email was sent from a different address, treat it with caution, and don’t follow any links included in the email. 
  4. Sometimes, phishing emails impersonating Google are delivered to other email accounts with different email providers. For example, you might receive an email warning to a Hotmail or Yahoo account that someone is trying to access your Gmail or Google account. If you’ve received an email from Google about your Google account to a different email account, it’s almost certainly fake. Google typically only sends account security alerts through its own Gmail platform.

More on this

Related articles