Gmail scams: How safe is your account?

A Statista survey found that three quarters of respondents in the United States use Gmail as either their primary or secondary email service. That’s a pool of roughly 160 million users in the US alone.

And because social logins are now one of the most common ways to access online services, a single Gmail account can act as a gateway to countless other apps and platforms. This makes Gmail one of the most valuable targets for scammers.

In this article, we explain three common types of Gmail scam, highlight the key red flags to watch out for, and share simple best practices to help keep one of your most important accounts secure.

Common Gmail scams

In last year’s F-Secure Living Secure survey, we found that 54% of all online scams are carried out via email — and email scammers are constantly refining their tactics. According to Pew Research, 63% of respondents say they receive a scam email at least once a week.

The methods may change, but almost all Gmail scams begin with a deceptive email designed to look legitimate. Here are three of the most common Gmail scams to watch for.

1. Gmail impersonation scams

A common Gmail scam is a straightforward impersonation email that pretends to be from Google or Gmail support. These messages usually claim there’s a security problem with your account — like a suspicious sign-in, a storage limit issue, or an urgent warning that your account will be locked. The goal is to push you into acting fast.

The email often includes a convincing “Secure your account” or “Review activity” button leading to a fake Google login page designed to steal your password. Some scams go further by spoofing official-looking sender addresses (even no-reply@google.com) or directing you to a fake support page with a phone number. If you call, scammers may ask for your password, verification codes, or remote access.

The key rule: never trust account alerts that ask you to log in through an email link. Instead, open a new browser tab and go directly to myaccount.google.com to check your security status.

2. Google Sites scam

Google Sites is part of the Google Workspace Suite. It allows people to build simple websites quickly, without coding — and its ease of use, combined with “google.com” appearing in the URL, has made it a convenient tool for scammers.

Scammers are increasingly using polished fake websites built on Google Sites, pairing them with spoofed Google emails and professional-looking support language to trick people into entering their Gmail login details.

In one case, scammers even managed to make their messages appear as though they were sent from the official no-reply@google.com address. The only clear giveaway was that the link inside the email pointed to a sites.google.com domain rather than an official Google page.

The goal of the scam is simple: trick victims into entering their Gmail username and password on a fake “legal issue” page.

3. AI-generated email summary scams

In mid-2024, Google began rolling out its Gemini AI assistant across Gmail. While useful, it also opened the door to new forms of manipulation.

One widely reported tactic involves the “Summarize this email” feature. Scammers hide malicious links or fake support numbers in invisible or unreadable text within an email. While the recipient cannot see this text, Gemini can — so it includes the hidden content in its summary.

Because the link appears inside an AI-generated summary panel, users may trust it more than they normally would and click without hesitation. As with most phishing attacks, these links lead to fake websites designed to steal login details, or they install malware on the user’s device.

4. Hyper-personalization scams

Advances in AI have made it far easier for scammers to create highly personalized phishing messages.

Bots can now scan years of social media posts, public profiles, and leaked data in seconds. Using this information, scammers craft emails that feel specific and relevant — often referencing real projects, contacts, or life events.

Not only are these emails more convincing, they are also more likely to bypass Gmail’s spam filters because they appear legitimate and contextually accurate.

Gmail scam red flags

Now that you’re familiar with some of the most common Gmail phishing techniques, let’s look at the classic warning signs.

Here are five of the biggest Gmail phishing red flags:

• Urgent messages: scammers want you to act quickly without thinking

• First-time senders: be cautious if you’ve never received an email from this address before

• Strange links or attachments: especially if the sender insists you click or download something

• Requests for personal information: Google will never email you asking for login details, personal data, or payment information

• Too-good-to-be-true offers: unexpected prizes, refunds, or deals are almost always scams

In the past, things like spelling mistakes and poor design used to be clear giveaways of

phishing scams, but while they can still be useful clues, many scammers are now well

beyond this stage and can create impressively convincing designs and language.

Best practices for staying safe on Gmail

Prevention is the strongest defence when it comes to cyber security. Follow these steps to reduce your risk and keep your Gmail account protected.

1. Run a security checkup on your Google account. Visit myaccount.google.com/security-checkup to review Google’s recommended security updates.

2. Use a strong, unique password. Avoid reusing old passwords. Ideally, use a strong password generator like ours that combines letters, numbers, and symbols into a long, complex passphrase.

3. Enable 2-factor verification (2FA). Although some people see 2FA as inconvenient, it is one of the most effective ways to protect your account.

4. Review your account settings regularly. Look for unfamiliar devices, strange forwarding rules, or changes you didn’t make. These are often the first signs of a compromised account.