Avoid and report phishing emails

Learn how to spot deceptive requests online and take recommended steps to help protect your Gmail and Google Account.

What phishing is

Phishing is an attempt to steal personal information or break in to online accounts using deceptive emails, messages, ads, or sites that look similar to sites you already use. For example, a phishing email might look like it's from your bank and request private information about your bank account.

Phishing messages or content may:

Ask for your personal or financial information.
Ask you to click links or download software.
Impersonate a reputable organization, like your bank, a social media site you use, or your workplace.
Impersonate someone you know, like a family member, friend, or coworker.
Look exactly like a message from an organization or person you trust.

Avoid phishing messages & content

To help you avoid deceptive messages and requests, follow these tips.

1. Pay attention to warnings from Google

Google uses advanced security to warn you about dangerous messages, unsafe content, or deceptive websites. If you receive a warning, avoid clicking links, downloading attachments, or entering personal information. Even if you don’t receive a warning, don’t click links, download files, or enter personal info in emails, messages, webpages, or pop-ups from untrustworthy or unknown providers.

2. Never respond to requests for private info

Don’t respond to requests for your private info over email, text message, or phone call.

Always protect your personal and financial info, including your:

Usernames and passwords, including password changes
Social Security or government identification numbers
Bank account numbers
PINs (Personal Identification Numbers)
Credit card numbers
Birthday
Other private information, like your mother’s maiden name

Tip: Only give out contact info like your email address or phone number to a website if you’ve confirmed it’s reputable. Don’t post your contact info on public forums.

3. Don’t enter your password after clicking a link in a message

If you’re signed in to an account, emails from Google won’t ask you to enter the password for that account.

If you click a link and are asked to enter the password for your Gmail, your Google Account, or another service, don’t enter your information, go directly to the website you want to use.

If you think a security email that looks like it’s from Google might be fake, go directly to myaccount.google.com/notifications. On that page, you can check your Google Account’s recent security activity.

4. Beware of messages that sound urgent or too good to be true

Scammers use emotion to try to get you to act without thinking.

Beware of urgent-sounding messages

For example, beware of urgent-sounding messages that appear to come from:

People you trust, like a friend, family member, or person from work. Scammers often use social media and publicly available information to make their messages more realistic and convincing. To find out if the message is authentic, contact your friend, family member, or colleague directly. Use the contact info you normally use to communicate with them.
Authority figures, like tax collectors, banks, law enforcement, or health officials. Scammers often pose as authority figures to request payment or sensitive personal information. To find out if the message is authentic, contact the relevant authority directly.

Tip: Beware of scams related to COVID-19, which are increasingly common. Learn more about tips to avoid COVID-19 scams.

Beware of messages that seem too good to be true

Beware of messages or requests that seem too good to be true. For example, don’t be scammed by:

Get rich quick scams. Never send money or personal information to strangers.
Romance scams. Never send money or personal info to someone you met online.
Prize winner scams. Never send money or personal info to someone who claims you won a prize or sweepstakes.

5. Stop & think before you click

Scammers often try to deliver unwanted software in links through email, social media posts or messages, and text messages. Never clicks links from strangers or untrustworthy sources.

Use tools to help protect against phishing

1. Use Gmail to help you identify phishing emails

Gmail is designed to help protect your account by automatically identifying phishing emails. Look out for warnings about potentially harmful emails and attachments.

Note: Gmail won’t ever ask you for personal information, like your password, over email.

When you get an email that looks suspicious, here are a few things to check for:

Check that the email address and the sender name match.
Check if the email is authenticated.
See if the email address and the sender name match.
On a computer, you can hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
Check the message headers to make sure the "from" header isn't showing an incorrect name.

2. Use Safe Browsing in Chrome

To get alerts about malware, risky extensions, phishing or sites on Google’s list of potentially unsafe sites, use Safe Browsing in Chrome.

In your Safe Browsing settings, choose Enhanced Protection for additional protections and to help improve Safe Browsing and overall web security.

You can download Chrome at no charge.

3. Check for unsafe saved passwords

You can find and change any unsafe passwords saved in your Google Account to help secure your accounts.

4. Help protect your Google Account password

To get notified if you enter your Google Account password on a non-Google site, turn on Password Alert for Chrome. That way, you’ll know if a site is impersonating Google, and you can change your password if it gets stolen.

5. Learn about 2-Step Verification

With 2-Step Verification, you add an extra layer of security to your account in case your password is stolen. Learn how you can protect your account with 2-Step Verification.

Report phishing emails

When we identify that an email may be phishing or suspicious, we might show a warning or move the email to Spam. If an email wasn't marked correctly, follow the steps below to mark or unmark it as phishing.

Important: When you manually move an email into your Spam folder, Google receives a copy of the email and any attachments. Google may analyze these emails and attachments to help protect our users from spam and abuse.

Report an email as phishing

On a computer, go to Gmail.
Open the message.
Next to Reply , click More .
Click Report phishing.

Report an email incorrectly marked as phishing

On a computer, go to Gmail.
Open the message.
Next to Reply , click More .
Click Report not phishing.