Fix or stop suspicious login activity alerts

Tip: If you’re using a personal account, learn how to manage your account security settings.

If you’re a G Suite administrator and you have turned on email alerts for suspicious login activity, you’ll receive an email alert if there is suspicious sign-in activity for one of your users. For example, if we notice a sign in attempt that doesn’t match a user’s normal behavior, such as a sign in from an unusual location, or because we think an unauthorized person attempted to access a user's account.

In most cases, before we send an alert, we show the user a Login Challenge. If the user fails or abandons the challenge, we send you the suspicious login alert. A successful login attempt from a suspended user's account also triggers an alert. This warns you that someone has the suspended user's password. Reset the password before you re-enable the account. You may also get an alert if a suspicious event occurs when a user is using Mail Fetcher to import mail from another Gmail account, because the messages are being fetched through our servers.

Investigate and secure suspicious login activity

  1. Ask the user with the suspicious login if they remember signing in. They can check their last account activity if they're unsure.
  2. If you can't establish the legitimacy of the sign-in, follow the Administrator security checklist.
  3. Reset the password of any account with suspicious activity.

Because user activity logs are sensitive and potentially private, Google Cloud Support can’t investigate alerts that originate from suspicious login activity.

Stop incorrect suspicious login activity alerts

  1. If you find that a suspicious login activity is actually a legitimate sign in by a user, we recommend enrolling that user in 2-Step Verification.
  2. Consider enrolling all of your users in 2-Step Verification to reduce these alerts for your organization.
Was this article helpful?
How can we improve it?