Avoid and report phishing emails

Learn how to spot deceptive requests online and take recommended steps to help protect your Gmail and Google Account.

What phishing is

Phishing is an attempt to steal personal information or break into online accounts using deceptive emails, messages, ads or sites that look similar to sites that you already use. For example, a phishing email may look as though it's from your bank and request private information about your bank account.

Phishing messages or content may:

Ask for your personal or financial information.
Ask you to click links or download software.
Impersonate a reputable organisation, such as your bank, a social media site you use or your workplace.
Impersonate someone you know, such as a family member, friend or coworker.
Look exactly like a message from an organisation or person who you trust.

Avoid phishing messages and content

To help you avoid deceptive messages and requests, follow these tips.

1. Pay attention to warnings from Google

Google uses advanced security to warn you about dangerous messages, unsafe content or deceptive websites. If you receive a warning, avoid clicking on links, downloading attachments or entering personal information. Even if you don't receive a warning, don't click on links, download files or enter personal info in emails, messages, web pages or pop-ups from untrustworthy or unknown providers.

2. Never respond to requests for private info

Don't respond to requests for your private info over email, text message or phone call.

Always protect your personal and financial info, including your:

Usernames and passwords, including password changes
National insurance number or government identification numbers
Bank account numbers
PINs (Personal Identification Numbers)
Credit card numbers
Birthday
Other private information, such as your mother's maiden name

Tip: Only give out contact info such as your email address or phone number to a website if you've confirmed that it's reputable. Don't post your contact info on public forums.

3. Don't enter your password after clicking a link in a message

If you're signed in to an account, emails from Google won't ask you to enter the password for that account.

If you click a link and are asked to enter the password for your Gmail, your Google Account or another service, don't enter your information. Instead, go directly to the website that you want to use.

If you think that a security email that looks like it's from Google might be fake, go directly to myaccount.google.com/notifications. On that page, you can check your Google Account's recent security activity.

4. Beware of messages that sound urgent or too good to be true

Scammers use emotion to try to get you to act without thinking.

Beware of urgent-sounding messages

For example, beware of urgent-sounding messages that appear to come from:

People that you trust, such as a friend, family member or person from work. Scammers often use social media and publicly available information to make their messages more realistic and convincing. To find out if the message is authentic, contact your friend, family member or colleague directly. Use the contact info you normally use to communicate with them.
Authority figures, such as tax collectors, banks, law enforcement or health officials. Scammers often pose as authority figures to request payment or sensitive personal information. To find out if the message is authentic, contact the relevant authority directly.

Tip: Beware of scams related to COVID-19, which are increasingly common. Learn more about tips to avoid COVID-19 scams.

Beware of messages that seem too good to be true

Beware of messages or requests that seem too good to be true. For example, don't be scammed by:

Get-rich-quick scams. Never send money or personal information to strangers.
Romance scams. Never send money or personal info to someone you met online.
Prize winner scams. Never send money or personal info to someone who claims you won a prize or competition.

5. Stop and think before you click

Scammers often try to deliver unwanted software in links through email, social media posts or messages, and text messages. Never clicks links from strangers or untrustworthy sources.

Use tools to help protect against phishing

1. Use Gmail to help you identify phishing emails

Gmail is designed to help protect your account by identifying phishing emails automatically. Look out for warnings about potentially harmful emails and attachments.

Note: Gmail won't ever ask you for personal information, such as your password, by email.

When you get an email that looks suspicious, here are a few things to check for:

Check that the email address and the sender name match.
Check if the email is authenticated.
See if the email address and sender name match.
On a computer, you can hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
Check the message headers to make sure that the 'from' header isn't showing an incorrect name.

2. Use Safe Browsing in Chrome

To get alerts about malware, risky extensions, phishing or sites on Google's list of potentially unsafe sites, use Safe Browsing in Chrome.

In your Safe Browsing settings, choose Enhanced protection for additional protections and to help improve Safe Browsing and overall web security.

You can download Chrome at no charge.

3. Check for unsafe saved passwords

You can find and change any unsafe passwords saved in your Google Account to help secure your accounts.

4. Help protect your Google Account password

To be notified if you enter your Google Account password on a non-Google site, turn on Password Alert for Chrome. That way, you'll know if a site is impersonating Google, and you can change your password if it gets stolen.

5. Learn about two-step verification

With two-step verification, you add an extra layer of security to your account in case your password is stolen. Learn how you can protect your account with two-step verification.

Report phishing emails

When we identify that an email may be phishing or suspicious, we may show a warning or move the email to Spam. If an email wasn't marked correctly, follow the steps below to mark or unmark it as phishing.

Important: When you manually move an email into your Spam folder, Google receives a copy of the email and any attachments. Google may analyse these emails and attachments to help protect our users from spam and abuse.

Report an email as phishing

On a computer, go to Gmail.
Open the message.
Next to Reply , click More .
Click Report phishing.

Report an email incorrectly marked as phishing

On a computer, go to Gmail.
Open the message.
Next to Reply , click More .
Click Report not phishing.