A fake Google security email steals your account even after you complete two-factor verification
A phishing email leads to a reverse-proxy Google login. You enter your password and complete 2FA, but the site steals your session token, giving attackers full Gmail access without your password.
Also known as: adversary-in-the-middle phishing, AITM Gmail attack, session cookie hijacking, MFA bypass phishing, reverse proxy Gmail phishing
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
What to do right now
- 1 Never click a link in an email to sign into Google — type myaccount.google.com yourself to check for real security alerts
- 2 If you clicked a suspicious link and signed in: immediately go to myaccount.google.com → Security → Manage all devices and sign out of all unfamiliar sessions
- 3 Check myaccount.google.com → Security → Recent security activity for logins you do not recognize and remove any device you did not authorize
- 4 Enable Google's Advanced Protection Program at google.com/landing/advancedprotection — it binds your session to your physical device, making stolen session cookies useless on another machine
- 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Red flags
- ⚠ An email urges you to click immediately to secure your Google account — real Google security alerts ask you to verify through the Google app on your phone, not by clicking a login link in the email
- ⚠ The login page looks identical to Google's real page — AITM proxy attacks mirror the genuine site in real time so there is no visual difference
- ⚠ You completed your 2FA code and were redirected to your real inbox, yet hours or days later you see unknown sign-ins — the attacker captured your session token and is now logged in from their own device
- ⚠ The URL in the address bar is subtly wrong — for example 'accounts.google.com.security-check.net' rather than 'accounts.google.com'
- ⚠ The email arrives from a display name like 'Google Security' but the actual sending address is not google.com
Sources
- Google — June 2026 Fraud and Scams Advisory (AITM named as top Gmail threat)
- Petronella Tech — FBI warning: sophisticated Gmail phishing attacks in 2026 bypassing MFA
- GBlock — Google's June 2026 Scam Advisory: 3 Gmail Threats
- DEV Community — AiTM Phishing 2026: How Starkiller and Tycoon 2FA Bypass Your MFA
- Kymatio — Google June 2026 Fraud Advisory: Hybrid Cyber Threats