Hackers have once again found a way to exploit a security feature you trust. The Google Critical Security Alert designed to warn users about potentially unauthorized access has been turned into a phishing scam. Find out how hackers are using this feature to their advantage and what to do if you receive such an email.
How does the Google Critical Security Alert scam look?
Google’s Critical Security Alert is a useful security feature that notifies you every time a new device is used to log into your account. It may be you, or it may be a perpetrator. Either way, you will receive an email from Google double-checking whether the login was intended. If it wasn’t you, you should immediately check your Gmail account for any suspicious activity.
Many users receive these warnings after buying a new device, signing in from their work computer, or when browsing behind a proxy or a VPN server. The latter will change your IP address; therefore, Google will identify your connection as coming from a new device.
However, hackers wouldn’t be hackers if they wouldn’t find ways to exploit a trustworthy security feature and turn it into a phishing attack. Gmail users have been reporting phishing emails that seemed to be coming from Google. They usually present one of these two scenarios:
- The email notifies users of a new attempted sign-in, claims that Google blocked the attempt, and asks the user to check their activity. However, the button that would normally lead to your Google security page here is spoofed. It leads to a malicious website or downloads malware directly onto your device;
- The email notifies users of unauthorized access and asks them to reset their password immediately. In this scenario, the button to reset your password leads to a spoofed website that looks very similar to a legitimate Google login page. However, if a user enters their details here, they’re sent directly to the hacker.
What to do if you received a Google Critical Security Alert email
- Ask yourself whether it might be legitimate. Are you using a new device? Did you use a new device at work or borrow a friend’s device to log in? Or maybe your VPN launched automatically, and Google recognizes a new IP address? If so, the email might be a legitimate false alarm.
- Check who the sender is. Did the email come from a legitimate Google account? Hover over the sender but don’t click on it or reply to the email.
- Check the quality of the text. Does it have any grammatical errors? What about the writing style? Is it formal enough to pass for Google? Legitimate companies usually painstakingly proofread emails they send to users. If you spot any mistakes, it’s a good indication that it’s a phishing email.
- Never click on any links or buttons or download any files. Don’t give into temptation, even if the email ‘urges’ you to do so.
- Whether or not the email is legitimate, you can safely check your account activity by going to your Google account security checkup page. Here, you can see what devices and how many of them are currently signed in, check recent security events, and see which third-party apps have access to your account. Check all these tabs for suspicious activity. If you can’t see anything, it was likely a phishing scam.
- If you went through the steps above and are sure that the alert was legitimate, change your passwords immediately. Also, read these tips to check for suspicious activity and what else needs to be done to reclaim your account.
What if you fell for the Google Critical Security Alert scam?
If you clicked on any links, downloaded attached files, or entered your details on a spoofed website, you may be in trouble. This means that hackers may already have your password or have installed malicious software onto your device.
It's time to act fast. Hackers may now be able to:
- Take screenshots of your desktop;
- Steal passwords you saved on your drive or your web browser;
- Steal, amend or delete your files;
- Download more malware or adware onto your device;
- Install copies of the same malware and run it in secret, especially if you managed to spot it and manually delete it.
Here's what you should do next if you have a suspicion that someone might have accessed your personal information or got into your device:
- Make stronger passwords. Delete them from your browser and use a password manager like NordPass instead;
- Locate the malware and manually delete it. This may require some technical know-how. If you are not comfortable doing this, try a third-party malware detection/antivirus program or speak to a professional and let them take care of it.
For more great cybersecurity tips and news, subscribe to our monthly blog newsletter below!