Google critical security alert: How to recognize and respond

Getting a Google security alert may be alarming, but it doesn’t automatically mean your account is in danger. Sometimes, you might trigger one yourself by, for example, signing in from a new device. That said, it can also mean that someone is trying to access your account without permission, or it may even be a fake alert designed to steal your information.

In this guide, we’ll explain what a critical security alert from Google is and how to tell if it’s genuine. We’ll also explore security measures you should take to protect your account against takeovers and phishing attempts.

What is a Google critical security alert?

A Google security alert notifies you about suspicious activity associated with your account. Google generally sends the alert through email, but it may also appear as an on-screen system notification on your phone (if you’re signed in) or as a notification through a Google app.

Sometimes, you might also get an alert for a different Google account linked to yours, like your recovery email address.

Why Google sends security alerts

Google sends these alerts to help you quickly detect and respond to suspicious activity, like potentially unauthorized logins, password resets, or changes to your account recovery information. This gives you the opportunity to review the activity and, if it wasn’t you, take immediate steps to secure your account.

Any of the following can trigger an alert:

Suspicious login attempts

Google often flags or blocks sign-in attempts from unusual locations or new devices. That’s why you might get an alert when you access your account while traveling, after buying a new phone or laptop, or if you use a tool like a VPN to change your IP address. Google uses these signals to identify unfamiliar locations and devices.

Password reset triggers

You might receive a security alert if Google flags a password reset as suspicious. This can happen if the reset comes from a device you haven’t used to sign in before, from a new location or unfamiliar Wi-Fi network, or after several failed sign-in attempts. Even if you request the password change, Google might still send you an alert as a precaution.

Suspicious account activity

Google also sends out security alerts if it detects suspicious account activity. For instance, if an unusual number of emails are sent from your address, or if it notices changes to important security settings, like your recovery phone number or email.

Is a Google critical security alert real or a scam?

Google’s security alerts are legitimate, but cybercriminals can also create phishing emails that imitate them. These fake messages could ask for your login information or include malicious links or attachments. If you click on them, you may end up on a phishing page or accidentally download malware that infects your device and steals your passwords.

Signs of a genuine alert

There are a couple of key signs that can indicate that a Google critical security alert is legitimate.

Sender email domain

Emails containing security alerts always come from this address: no-reply@accounts.google.com.

If you see a different address, it’s very likely a phishing attempt. Note that attackers may be able to make an email appear to come from that address, so don’t rely on this signal alone.

Account activity match

Legitimate security alerts are always listed in the Recent security activity tab in your Google account, including security events like suspicious login attempts or changes to your recovery email or password.

Compare the time and type of activity here with what’s shown in the alert email or notification you received. If the same event appears in both, the alert is genuine. If the event doesn’t appear there, treat the email you received with extreme caution.

Signs of a fake alert

If you notice any of the following issues, the security alert is probably fake:

Phone calls

Google doesn’t call you about security alerts. Instead, it sends them through email or on-screen prompts. If you receive a phone call claiming to be a security alert from Google, it’s most likely a scam.

Note: If you’ve set up phone verification as part of two-factor verification, you may receive an automated call to confirm the login. Google will never call you with a security alert or ask for your information over the phone.

Urgent language and errors

Fake email alerts often use urgent phrases to pressure you into impulsively clicking links or opening attachments. For example, they might say your account is compromised or in danger.

You may also be able to spot a fake alert by checking its spelling and grammar. A genuine alert from Google generally won’t contain any errors. That said, with the use of modern tools like AI, cybercriminals can more easily create fake alerts that look clean and professional. Google’s real messages are usually concise and consistent in tone, so you should also watch for an overly formal tone or awkward phrasing.

Suspicious links and attachments

A fake security alert email might ask you to download a file that may appear harmless but actually contains malware. Legitimate Google security alerts never include attachments, so any message with a file attachment claiming to be from Google should be treated as suspicious.

Fake alerts may also contain malicious links that take you to a fake login page designed to steal your credentials. To preview the actual destination of a URL or button before you click, hover over the link on desktop or long-press it on mobile.

Sensitive data requests

A fake email alert might ask you to share valuable information, like your password or recovery codes. Legitimate Google alerts never ask for this kind of data directly in the message. They only notify you about suspicious activity and link to your Google account.

In some cases, you might be asked to sign in to verify your identity or review the alert, but you should always check that the link is the genuine Google domain. If in doubt, visit https://myaccount.google.com/ directly rather than following the link you received via email.

What to do if you get a Google critical security alert

If you receive a critical security alert from Google, it’s best to take a moment to verify it before taking any action. The next steps will help you confirm whether the alert is legitimate and show you what to do in each case.

Actions if it’s real

If the alert is valid and you didn’t trigger it, here’s how to quickly protect your Google account:

Change your password immediately

Changing your Google password is the most important first step. It locks out anyone who may have gained access and prevents further unauthorized activity.

If you get an alert, this is the quickest way to update your login:

1. In the email, click Check activity. This takes you to the relevant security alert log.
2. Select No, secure account. This signs you out of most devices and takes you to a new page where you can change your password.
3. Click Change password. Google might ask you to enter your current password to verify your identity.
4. Choose a new password, confirm it, and select Change password to confirm.

Disconnect unknown devices

When you change your password, Google will show you a list of all devices that will remain signed in to your account even after the password change. This always includes the device you’re using, along with certain trusted devices such as those linked to two-factor authentication.

In some cases, you might also stay signed in on devices connected through third-party apps, for example, if your Google Account is linked to a smart TV or another app that uses your Google login. Certain home devices, such as Google Nest, may also stay connected until you remove them manually.

So even if the alert was triggered by your own activity, you should check the signed-in devices page and remove all devices you don’t recognize or have access to. Here’s how to do that:

1. Access the Security tab in your Google account.
2. Scroll down and click Manage all devices.
3. Select any device you don’t recognize. You might need to type in your password when you do this.
4. Click Sign out to disconnect the device.

Actions if it’s a scam

If the alert appears to be fake, take the following steps to protect your account and devices:

Don’t click suspicious links

Avoid interacting with any links or buttons found in the email. They could take you to a phishing page designed to steal your password. Clicking on them could also trigger a malware download that compromises your device.

Report phishing to Google

When you report a phishing email to Google, Gmail moves it to the spam folder and sends a copy of the email to Google’s security team for analysis.

Here’s how to report a phishing email in Gmail:

1. In the email alert, click the three-dot icon on the right-hand side of the email message.
2. Next, select the Report phishing option.

You can also report any phishing links found in the email to Google through its Safe Browsing report page.

Block the sender’s address

In addition to reporting the fake message, you should also block the sender so that they can’t message you again. To do this, follow these steps:

1. Click the three-dot icon to open the options menu.
2. Select Block.

How to protect your Google account long-term

Securing your account is important to reduce the risk of future attacks. Even if you solve the issue from a Google security alert, your account can remain vulnerable if your recovery details, passwords, or security settings are outdated.

Core security practices

To make sure your Google account stays protected from most common threats, it's best to make sure you have all of these safeguards in place:

Create strong, unique passwords

A strong password makes it more difficult for cybercriminals to use trial and error to brute-force your login. It’s best to aim for a long password that’s at least 12 characters and a mix of letters, symbols, and numbers. It shouldn’t include common words like nicknames, words in reverse, or important dates.

In addition to securing your Google account with a strong password, you should also use a different login for each account you use. Otherwise, if one password is compromised, all your accounts are in danger.

To securely generate, store, and manage your passwords, you can use a password manager like ExpressVPN Keys.

Turn on two-factor authentication

Two-factor authentication (2FA) adds additional security to the login process because it requires you to perform an additional step to verify your identity. This way, even if someone steals your password, they won’t be able to access your account without that additional verification.

Google supports the following 2FA options:

• Passkeys: A passwordless sign-in option that allows you to log in with biometric authentication (fingerprint or face scan) or using your device’s screen lock.
• Google prompt: Get a prompt on your phone to verify your identity when signing in on a different device.
• Authenticator: Use an authenticator app to generate time-sensitive codes to use when logging in.
• Phone number: Receive sign-in or verification codes through text messages or automated voice calls.
• Backup codes: Provides a list of backup codes you can print and use and enter to sign into your account.

Keep recovery info updated

Make sure your recovery email and phone number are up to date. This may help you regain access to your account if cybercriminals compromise it. Here’s how to do this:

1. In your Google account, select the Security tab from the menu on the left.
2. Click the Recovery phone and Recovery email fields to update the information. Google may require you to enter your login to proceed.

Use Google’s Security Checkup

Google’s Security Checkup is a feature that offers personalized guidance on how to protect your account. It’s a simple way to confirm that your settings, devices, and recovery options are up to date.

At a glance, the tool lets you:

• Review recent security activity: See sign-ins, password changes, and other important actions tied to your account. This helps you quickly spot anything that doesn’t look familiar.
• Check your recovery options: Confirm that your recovery phone number and email address are up to date. These details make it easier to regain access if you ever get locked out.
• Manage connected devices: View which devices are signed in to your Google Account and remove any you don’t recognize or use.
• See third-party app access: Identify apps or services that can access your Google data and remove any you no longer use or trust. Limiting unnecessary access reduces your exposure if a third-party app is compromised.
• Verify 2-Step Verification settings: Make sure your two-factor authentication is turned on and working properly. This adds an extra layer of protection if someone tries to sign in without permission.
• Run a Password Checkup: Automatically check whether any of your saved passwords are weak, reused, or appear in known data breaches. Updating them reduces the risk of credential-stuffing attacks.

Advanced security measures

Once you’ve covered the basics, you can take the following few extra steps to strengthen your Google account’s defenses.

Use email masking

Email masking is when you use an alternate email address that forwards messages to your main inbox. When someone or an online service emails the masked address, you still get the message, but your main email stays hidden. This provides extra privacy because it helps protect you against spam, data breaches, and phishing attacks.

Use an antivirus

While antivirus software can’t directly protect your Google Account, it can help improve your overall security by protecting your device from malware that might steal passwords, intercept verification codes, or install keyloggers. Many antivirus programs include web protection that checks websites against databases of known phishing or malicious links and warns you before you visit a dangerous page.

If you already use an antivirus, keep its real-time protection turned on and allow automatic updates to stay protected against the latest threats. Just note that while good antivirus software can block common threats, it can’t protect you if you voluntarily share sensitive information or sign in on a fake site. It’s important to use it in tandem with Google’s security features, such as security alerts, two-factor authentication, and reviewing account activity.

Implement email protocols

If your business uses Google Workspace, you can set up several email authentication protocols for increased security and to ensure that only authorized users send emails on your behalf.

Google supports the following:

Can you disable Google security alerts?

Regular Google users with personal Gmail accounts can’t stop security alerts because they’re a core security feature that keeps accounts safe. You can disable some browser-specific alerts if you turn off the Enhanced Safe Browsing feature, but that’s not recommended because it protects you against malicious sites, downloads, and extensions.

You can only turn off some security alerts if you’re a Google Workspace admin. However, even if you do this, Google will still send alerts when users sign in through unrecognized devices.