How to identify and prevent Gmail phishing emails

Let me first tell you a real-life scenario.

You receive an email from "Google Security Team" stating that your account has been flagged for suspicious login activity and requires immediate identity verification, otherwise your account will be frozen in 24 hours. The email is beautifully formatted, with a clear logo and a formal copyright notice at the bottom. A little panicked, you click the "Verify Now" button, which redirects you to a webpage that looks exactly like the Google login page. You enter your email address and password…

Then your Google account will no longer be yours.

That's exactly what phishing emails do. They don't need to crack your password or have any sophisticated hacking skills; all they need is for you to click a link and enter your password in a panic.

Why are phishing emails becoming increasingly difficult to identify?

Phishing emails from five or six years ago were quite easy to spot—full of grammatical errors, poor translations, and obviously fake logos. But things are different now.

Phishing emails are now extremely cheap to create, and the tools used are very sophisticated. Attackers can:

• Perfectly replicates email templates from Google, banks, and courier companies, with pixel-perfect fidelity.
• Forged sender display name, and even in some cases, forged sender address.
• Fake domains that are very similar to real domains (such as g00gle.com , google-security.com )
• Using AI tools to generate grammatically correct localized content
• Targeted use of your real name and some personal information to increase credibility

To put it bluntly, phishing emails these days are no longer "obviously fake." Many people simply can't tell the difference unless they specifically check them.

The most common fishing tricks

1. Impersonating Google security notifications

This is the classic tactic. The email tells you "Abnormal login detected," "Your password has expired," or "Your account will be suspended soon," and then includes a link for you to "verify your identity" or "update your password."

Genuine Google security notifications do send emails, which is why many people can't distinguish between them and fake ones. We'll explain how to differentiate them later.

2. Pretend to be a colleague or boss

This is especially common in corporate environments. You receive an email that looks like it's from your boss, saying, "I'm in a meeting and can't call, could you buy me some gift cards and send me the card numbers?" Or, "Could you update the data in this file and send it to me?"—the file is actually a malicious attachment.

This type of attack is called "Business Email Phishing" (BEC), and the financial losses are usually much greater than those from regular phishing.

3. Notification of winning/tax refund/refund

"Congratulations on winning an iPhone 16," "You have a $320 tax refund pending," "Your Amazon order refund has been credited to your account, please confirm"—any benefits offered without prior notice are basically bait.

4. Emergency Warnings

"Your account will be permanently deleted in 2 hours," "Your account has been detected sending spam to others," "Your Google Drive storage has been restricted due to inappropriate content"—these messages use fear to force you to act immediately, giving you no time to think.

5. Shared document phishing

This is more subtle. You receive an email saying "So-and-so has shared a document with you," with a format almost identical to a genuine Google Docs sharing notification. Clicking on it prompts you to log in to view the document—the login page, of course, is fake.

How to determine if an email is a phishing email?

No special expertise is required; just develop the following inspection habits.

Look at the sender's address, not the display name.

This is the most basic yet crucial step. The sender's name displayed in the email can be changed at will; anyone can set it to "Google Security Team." But the sender's actual email address is key.

In Gmail, click the small arrow next to the sender's name to expand the details and see the actual email address. Google officially only uses domains like @google.com or @accounts.google.com . If the actual address is something like security-alert@google-verify.com or noreply@g00gle-support.net , then it's fake.

Hover your mouse over the link to see the actual URL.

The text on the link in the email can be completely different from the actual URL it points to. A button that says "Log in to Google" might actually link to http://accounts-google.security-check.xyz/login .

On a computer, hover your mouse over the link without clicking and observe the actual URL displayed in the bottom left corner of your browser or in a pop-up tooltip. On a mobile phone, long-press the link to preview the address.

The official Google login page address will always begin with https://accounts.google.com/ . Do not trust any other variations.

Pay attention to the sense of urgency in your tone.

Phishing emails love to create a sense of urgency by using phrases like "immediately," "right away," "within 24 hours," and "otherwise it will be permanently deleted," because people are more likely to make mistakes when they are nervous.

Even if a notification from a reputable company has a time limit, the wording will be more mild and won't be threatening. Furthermore, for truly important account security issues, Google will notify you through multiple channels (push notifications, backup emails, SMS messages to your phone number), not just a single email.

Do not open attachments that are not verified.

Especially avoid opening files with .exe , .scr , .zip , or .js extensions. Even .pdf or .docx files should not be opened if their source is unknown. Malicious documents can exploit software vulnerabilities to execute malicious code the moment you open them.

If you really need to view the attachments, you can open them using Google Drive's online preview feature first, instead of downloading them to your local drive.

Verify using the information provided by Gmail.

Gmail has several built-in features that can help you determine this:

• External sender alert —If you are using Google Workspace (Enterprise), you will see a yellow alert bar when you receive emails from outside your organization.
• A question mark ("?" ) will appear in the profile picture area if the sender is not verified.
• Red Warning Banner — Gmail displays a red warning at the top when it detects suspicious emails, telling you "This email looks suspicious."

Pay close attention when you see these tips.

If you have already clicked the phishing link

Don't panic, but be quick. Follow these steps:

I just clicked the link but didn't enter any information.

It's not a big problem. Close the page and clear your browser cache and cookies. If you're worried about malicious scripts on the page, run a full system scan with your antivirus software.

Password entered

1. Change your password immediately —log in to myaccount.google.com on another device that you are sure is secure and change your password.
2. Check recent login activity —in security settings, check "Your Device" and "Recent Security Activity," and log off any unfamiliar devices.
3. Check recovery options —make sure your backup email address and phone number haven't been changed.
4. Check your email forwarding settings —phishing attackers might set up automatic email forwarding to their inbox. Go to Gmail settings → Forwarding & POP/IMAP and check for any suspicious forwarding addresses.
5. Enable two-step verification —if you didn't enable it before, enable it now. It's best to set up a passkey or security key.
6. Check third-party app permissions —go to myaccount.google.com/permissions to see if any unfamiliar apps have been granted access to your account.

Entered bank card or payment information

In addition to the steps above, you should immediately contact the bank to freeze the relevant cards and monitor recent transaction records.

Proactive defense: making phishing emails harder to intercept.

Instead of relying on visual inspection to determine authenticity each time, it's better to take preventative measures so that even if a phishing email tricks you into giving it your password, it can't log into your account.

Enable two-step verification

This is the most cost-effective security measure. Once enabled, even if your password is stolen, attackers cannot log in without your phone number.

Go to myaccount.google.com → Security → Two-Step Verification, and follow the prompts to set it up. Google Authenticator or Passkey is recommended; SMS verification codes are not recommended (SMS messages can be intercepted by SIM cards).

Set Passkey

It goes a step further than two-step verification. Passkeys are inherently phishing-proof because they automatically verify the website domain, preventing fake websites from triggering the verification process. For specific setup instructions, please refer to our previous article , "What is Google Passkey: A New Way to Say Goodbye to Traditional Passwords."

Keep Gmail's security features enabled.

Gmail has many security features enabled by default; don't turn them off unnecessarily.

• Spam filtering
• Phishing email detection
• Scanning of suspicious attachments
• Safe browsing protection (the system checks the safety of the target website when a link is clicked).

These features can block over 99% of phishing emails. However, a small number of phishing emails still slip through the net and enter the inbox, so manual review remains important.

Regularly check account security status

Google offers a "security check" tool at myaccount.google.com/security-checkup . It will help you check:

• Are there any suspicious recent login devices?
• Are the third-party application permissions normal?
• Two-step verification enabled
• Is the recovery information complete?

I suggest taking two minutes to look at it each month.

Be careful with public Wi-Fi

Logging into your email under public Wi-Fi in cafes, airports, or hotels is much riskier than at home. If you must use a public network, it is recommended to use a VPN.

Additional things to note for enterprise users

If you are using Google Workspace (Gmail for business), administrators can also do the following to protect the entire organization:

• Enabling two-step verification —Set this in the management console; all employees must enable it.
• Deploy a DMARC policy — Prevent others from impersonating your business domain and sending phishing emails to your customers or employees.
• To enable advanced phishing protection , go to the Workspace admin console → Security → Gmail → Security. There you'll find several advanced protection options.
• Regularly train employees on phishing emails —security awareness is more important than any technical means.

How to report phishing emails

Don't just delete it; take two seconds to report it to help Google improve its filtering algorithm and protect others from being affected.

1. Open that email
2. Click the three dots menu in the upper right corner.
3. Select "Report as phishing email"

It's that simple. Google updates its phishing email signature database based on reported data, making similar emails easier to block automatically in the future.

Remember one general principle

Finally, here's the most practical principle for judging emails: When you encounter an email you're unsure about, remember this:

Legitimate organizations will never ask you to enter your password via a link in an email.

No matter how genuine or urgent an email may seem, if it asks you to click a link to log in or enter sensitive information, do not comply. The correct approach is to open your browser, manually enter the official website address, log in, and check the email yourself. Once you develop this habit, the threat of phishing emails will be reduced to almost zero.