One would think that Gmail's security alerts are pretty secure and actually warn users in time, keeping their accounts safe. Well, they would be wrong.
A shockingly legit-looking phishing scam is now targeting Gmail users—and it’s so convincing, even Google’s systems didn’t flag it. The email claims to be from “no-reply@google.com,” warns you about suspicious activity, and tells you to verify your account or risk getting locked out.
Sounds routine, right? Except it’s not. It’s a fake. And it’s exploiting a real vulnerability in Google’s own infrastructure.
It looks real… because it kinda is
The scam was first flagged by X (formerly Twitter) user Nick Johnson, who was almost fooled himself. He posted about receiving a suspicious security alert from no-reply@google.com telling him to “verify account activity.” If he didn’t, the email warned, his Gmail would be suspended within 24 hours.
Here’s the kicker: the email passed all of Gmail’s usual safety checks. It had legit branding, the right logos, no dodgy typos, and even a valid DKIM signature (that’s the thing Gmail uses to verify authenticity). Gmail didn’t raise a single flag. It even lumped it in with real security alerts.
So yeah, scary stuff.
The trick? A sneaky oAuth bug
Johnson says the scam exploited a flaw in Google's oAuth system—a bug that allowed attackers to send emails that looked like they were from official Google addresses. Google has now acknowledged the issue and says a fix is on the way.
But until that patch rolls out, these emails are out there, pretending to be the real deal—and they want your login details.
What happens if you fall for it?
The email prompts you to click a “Review Activity” button, which leads to a page mimicking Google’s login screen. Enter your info, and boom—your Gmail, your data, your entire Google life could be in the hands of a scammer. They can raid your inbox, steal personal details, and send more fake emails from your account.
What you need to do
First things first—don’t click on anything. If you get an email like this, open a fresh tab and go directly to Gmail or your account settings. Check everything from there, not from inside the email.
Second, report it. Gmail lets you flag phishing emails through the three-dot menu in the message.
And if you haven’t already, enable two-factor authentication. It’s a life-saver, even if your password gets compromised.
Lastly, trust nothing. Check sender addresses carefully, be wary of urgency, and always pause before clicking.
Because clearly, the internet’s getting sneakier.
