Anatomy of the scam

A scammer triggers an account-recovery flow on your Google account using your email address. Google sends a verification code to your phone. The scammer calls, claims to be Google support investigating "suspicious sign-in activity," and asks you to read the code.

If you do, they complete the recovery and your account is theirs. From there: Gmail, Drive, Photos, Calendar, YouTube channel, every site you've signed in with Google. Often pivots into draining accounts and contacting your network with phishing.

The trick is that the code is real and comes from Google. The phone call is the scam, not the code.

Red flags

  • A "Google support" caller asks for the verification code Google just sent.
  • The call coincides with an unexpected SMS code from Google.
  • The caller claims to be investigating "suspicious activity."
  • They insist on staying on the line while you check the code.
  • The caller's number isn't a verifiable Google support line (Google generally doesn't call consumers).
  • Pressure to act quickly "before the hacker locks you out."

How to verify safely

  1. Google does not call you about account issues. Period. They surface alerts in-product.
  2. Never share a verification code sent to your phone with anyone, ever. Google's own SMS includes the warning "Don't share this code with anyone."
  3. Check your account security at myaccount.google.com/security.
  4. Use hardware-key or passkey-based 2FA. Codes can be phished; passkeys can't.
  5. Add a recovery email that isn't tied to your phone.

If you shared the code

  • Initiate Google's account recovery process immediately at accounts.google.com/signin/recovery.
  • Sign out of all sessions once you regain access.
  • Change your password and recovery phone / email.
  • Enable hardware-key 2FA.
  • Check connected apps and revoke unknown ones.
  • Review Gmail forwarding rules and filters — attackers add filters that hide responses.
  • Notify your contacts that any recent strange messages from you were scams.

What not to do

  • Do not share verification codes with phone callers, ever.
  • Do not trust "Google support" callers — Google doesn't call consumers about accounts.
  • Do not assume the caller's caller ID showing Google is real. Caller ID is spoofable.
  • Do not install any "verification app" the caller recommends.

Where to report

  • FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
  • FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
  • CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
  • IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
  • Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.