Government-backed attackers may be trying to steal your password
About this warning
We regularly receive reports from users as well as from our own signaling systems that monitor for suspicious login attempts and other activity. It's likely that you received emails containing harmful attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information.
For example, attackers have been known to send damaging PDF files, Office documents, or RAR files.
To protect users going forward, we can't share details about precisely when or how we detected specific attacks. Google’s internal systems have not been compromised.
The Gmail warning includes personalized guidance to improve your security, based on your current account and browser settings. It will reappear after a short time to help remind you to take the recommended steps toward a more secure account. You can then switch off the warning; if it is shown again after weeks or months, it is because we detected new activity against your account.
Secure your account
Google’s Security Checkup will walk you through a series of steps to limit any damage to your account. To get a step ahead of attackers, take these extra steps to better secure your account and computer:
- Enroll in the Advanced Protection Program. This protects you against common ways people hijack your account, like getting your emails, documents, contacts, and other personal information.
- Always use up-to-date software. This includes your Internet browser, operating system, plugins, and document editors. Consider switching to the Chrome browser, whose auto-updating security feature reduces the risk of running out-of-date software. It can also safely open PDF documents.
- Enable 2-step verification in Gmail. This feature sends a second password to your phone, giving you an extra layer of security that has been successful in protecting against some attacks.
- Install Google Authenticator. If you've enabled 2-step verification, we strongly recommend also installing the Authenticator app to receive codes when you don't have internet connection or mobile service.
- Set up a Security Key in Gmail. These physical keys, which fit into a USB slot and can also work over Bluetooth or NFC, provide the strongest form of 2-step verification to protect your account from hijackers. A basic model sells for under $20 USD and can be used for more websites than just Gmail.
- Install Password Alert in Chrome. This free and open-source Chrome extension tries to alert you immediately if you reuse your password or enter it on a fake login page.
- Remove unwanted pop-ups and other malware. If you keep seeing pop-ups, ads you don't recognize, or a homepage you didn't set, you might have an unwanted program called malware on your computer. To remove malware and protect your browser, follow these anti-malware tips.