is that a scam?
← Back to all scams
HIGH phishing Share

A fake Google security email steals your account even after you complete two-factor verification

A phishing email leads to a reverse-proxy Google login. You enter your password and complete 2FA, but the site steals your session token, giving attackers full Gmail access without your password.

Also known as: adversary-in-the-middle phishing, AITM Gmail attack, session cookie hijacking, MFA bypass phishing, reverse proxy Gmail phishing

What to do right now

  1. 1 Never click a link in an email to sign into Google — type myaccount.google.com yourself to check for real security alerts
  2. 2 If you clicked a suspicious link and signed in: immediately go to myaccount.google.com → Security → Manage all devices and sign out of all unfamiliar sessions
  3. 3 Check myaccount.google.com → Security → Recent security activity for logins you do not recognize and remove any device you did not authorize
  4. 4 Enable Google's Advanced Protection Program at google.com/landing/advancedprotection — it binds your session to your physical device, making stolen session cookies useless on another machine
  5. 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.

Red flags

  • An email urges you to click immediately to secure your Google account — real Google security alerts ask you to verify through the Google app on your phone, not by clicking a login link in the email
  • The login page looks identical to Google's real page — AITM proxy attacks mirror the genuine site in real time so there is no visual difference
  • You completed your 2FA code and were redirected to your real inbox, yet hours or days later you see unknown sign-ins — the attacker captured your session token and is now logged in from their own device
  • The URL in the address bar is subtly wrong — for example 'accounts.google.com.security-check.net' rather than 'accounts.google.com'
  • The email arrives from a display name like 'Google Security' but the actual sending address is not google.com

Sources

Share this with someone who might need it