If you receive an account security alert in your Gmail inbox, don’t assume it’s safe—even if it looks like it came directly from Google. A sophisticated new phishing scam is making the rounds, and it’s tricking users with what appears to be a legitimate Google security notification.
The Phishing Email Looks Real - Because Technically, It Is
This scam email is being sent from no-reply@accounts.google.com, and it passes Google’s DKIM signature check, meaning it appears to be verified and legitimately sent by Google itself. Because of this, Gmail doesn’t flag the message as suspicious.
The message claims that Google received a subpoena, requiring the company to hand over the contents of your Google account. The email includes a link to a page hosted on sites.google.com, which looks like a Google support page. On that page, you’ll find a mock “Legal Investigation Report” along with buttons to either view the case or upload additional documents.
Clicking either button will lead you to a fake Google login page—also hosted on sites.google.com. While the person who reported the scam didn’t enter any credentials, it’s clear the goal is to steal your Google login details and then redirect you to a legitimate Google page to avoid raising suspicion.
Here’s What Makes This Scam So Convincing
Even though the fake login page is visually identical to Google’s real sign-in screen, you can spot the difference by checking the URL. Real Google login pages are always hosted at accounts.google.com, not sites.google.com.
There are two other red flags in the email:
- Email Header Mismatch: Although the email appears to be signed by Google, it actually originated from a privateemail.com address and was sent to a strange address like
me@googl-mail-smtp-out-192-.168-142-125-38-prod.net - Suspicious Footer Content: At the bottom of the message, there’s excessive white space followed by a line stating, “Google Legal Support was granted access to your Google Account,” again referencing that odd email address.
When Google’s Own Tools Are Used Against You
The scam works so well because it leverages Google’s own services, including Gmail and Google Sites. Since the phishing page is hosted on sites.google.com, the domain looks trustworthy—even though it’s being used maliciously.
Google Sites is a legitimate platform that allows users to create and publish webpages under the Google domain. Unfortunately, it also allows the use of custom scripts and embeds, which scammers exploit to build convincing phishing pages. Worse, even when Google takes down a phishing page, the attackers can just create another one quickly.
In this case, the real issue lies with the email itself—and unfortunately, Google doesn’t seem to see it that way.
Google's Response: “Working As Intended”
The original bug report was submitted to Google, but the company closed it, stating that the feature is functioning as expected. They also said they don’t consider this a security issue, which means we can likely expect more scams like this in the future.
Stay Safe: What You Can Do
Until Google tightens its policies around these types of scams, it’s up to users to stay alert. Here are some quick tips:
Check the sender’s address carefully, especially in the email header.
Be suspicious of any email that includes a link to sites.google.com instead of accounts.google.com for login.
If something feels off, don’t click links directly—go to Google.com and sign in manually to check for alerts.
Report suspicious emails to Google via the Gmail “Report phishing” feature.