Gmail scam alert: fake tech support trick is stealing your recovery codes

Phishing emails and fake Google calls are compromising accounts—here’s how the scam works and how to stay safe

When Gmail becomes a danger: the illusion of legitimacy

Gmail, the world’s most used email service, is under attack. A new wave of phishing scams is deceiving users into giving away their login credentials. The scam is smart and subtle: emails look real, come from seemingly official addresses, and don’t raise suspicion.

The danger doesn’t stop at emails. Victims are also receiving phone calls from fake Google technicians who guide them—step by step—into handing over their two-factor authentication (2FA) codes, thinking they are protecting their accounts.

The fake Google tech stealing your identity

This scam follows a simple but effective script:

• You receive a call from someone claiming to be from Google Support
• They say your account is under attack and needs immediate action
• They ask for your 2FA recovery code to “secure” your account
• In reality, the attacker uses the code to take full control

What makes this scam so effective is the emotional manipulation. Victims are convinced they are being helped—until it’s too late.

Google: “We will never call to ask for recovery codes”

Google has confirmed the scam and reassured users: it’s not widespread, but it’s growing and dangerous. The official stance is clear: Google will never call you to ask for account credentials or verification codes.

Ross Richendrfer, Gmail spokesperson, strongly recommends users enable anti-phishing measures like security keys or passkeys, which are much harder for scammers to bypass.

What to do if you’ve been scammed

If you’ve fallen for the trick, you have 7 days to recover your Gmail account. During this period, you can still use your original recovery email or phone number, even if the attacker has changed them.

Steps to recover:

• On Android: Settings → Google → Your Name → Manage your Google Account → Security → How you sign in
• On iOS: Gmail → Profile Picture → Manage your Google Account → Security → How you sign in
• On Chrome: Profile Picture → Manage your Google Account → Security → How you sign in

Never try random recovery tricks—only follow official Google instructions.

Protect yourself: enable 2-step verification now

The most effective defense is enabling 2-step verification. For even better protection, use physical security keys. Google has also rolled out Gemini Nano protection in Chrome 137, detecting suspicious behavior directly on your device.

FAQ

1. What is a Gmail phishing scam?
A fake email or phone call impersonating Google to steal your credentials.

2. Does Google ever call users?
No, Google will never contact you to ask for recovery codes or personal data.

3. What if I gave away my 2FA code?
Immediately start the official recovery process from Google.

4. How can I enable 2-step verification?
Go to “Manage your Google Account” → “Security” → “How you sign in”.

5. What are security keys?
Physical devices that prevent unauthorized logins.

6. Can I recover my Gmail after it’s hacked?
Yes, but you must act within 7 days using your original recovery data.

7. How can I spot a phishing email?
Check the sender’s address, avoid suspicious links, and don’t share personal info.

8. What is Gemini Nano?
An AI-based security layer in Chrome that blocks suspicious activities.

9. What should I do if I get a suspicious call?
Hang up immediately and report the number.

10. Is this scam illegal?
Yes. It is a criminal offense and should be reported to authorities.