Tip: If you’re using a personal account, learn how to manage your account security settings.
As an administrator, you can use email alerts to notify you if there’s suspicious sign-in activity for one of your users. For example, we might notice a sign-in attempt that doesn’t match a user’s normal behavior. In most cases, before we send you an alert, we present the user with an extra security question or challenge. If the user fails or abandons the challenge, we send you the alert. The alert warns you that someone has the suspended user's password. For more information, see Administrator email alerts.
Examples of suspicious logins
- A user doesn't follow their usual sign-in pattern, such as a signing in from an unusual location.
- There was a successful login from a suspended user's account.
Note: You might also get an alert if a suspicious event occurs when a user is using Mail Fetcher to import mail from another Gmail account, because the messages are being fetched through our servers.
Investigate suspicious sign-in activity
- Ask the user with the suspicious login if they remember signing in. They can check their last account activity if they're unsure.
- If you can't establish the legitimacy of the sign-in, follow the Administrator security checklist.
- Reset the password of any account with suspicious activity.
Because user activity logs are sensitive and potentially private, Google Cloud Support can’t investigate alerts that originate from suspicious login activity.
Stop incorrect suspicious login activity alerts
- If you find that a suspicious login activity is actually a legitimate sign in by a user, we recommend enrolling that user in 2-Step Verification.
- Consider enrolling all of your users in 2-Step Verification to reduce these alerts for your organization.