New Gmail 2FA Code Attack Alert — Don’t Lose Your Account Access

New Gmail 2FA Code Attack Alert — Don’t Lose Your Account Access

Google has confirmed a new phishing attack targeting users, and it's essential to be aware of the risks to protect your account.

Gmail Attack Confirmed — “Remain Vigilant” Google Warns Users Beware this Gmail account verification scam. Update, May 8, 2025: This story, originally published May 7, has been updated with a statement from Google concerning the latest Gmail impersonation attack as detailed by a Reddit user, along with information on recovering access to a hacked Google account.

Your Gmail account is under attack from those who would compromise it, lock you out, and then use the resources within to stage further attacks against you and your contacts. Everything from security alert email notifications, infostealer malware campaigns, and 2FA bypass attacks are employed by malicious cybercriminals looking to access your Google account.

Now, a Reddit user has warned about a hacker that tried to get them to part with their 2FA code as part of an elaborate Gmail verification attack. Here’s what you need to know and do to ensure you don’t lose your account.

The Gmail Account Recovery 2FA Code Attack Explained

Employing phony technical support or security team alerts in an attempt to convince someone to hand over their account credentials is not a new wheeze that has just been dreamed up by a forward-looking hacker. Heck, I was doing precisely this as part of social engineering campaigns against clients, with their permission, twenty years or more ago.

Impersonation is the greatest form of flattery, and the easiest way to convince someone to give you what you want. Only last year, I penned a report that went viral describing just such a scam, involving emails and AI-powered phone calls in an attempt to relieve a thankfully technology-savvy target of their account credentials.

But old never gets old, especially when it evolves and is successful. One Redditor has now warned other users in the Gmail subreddit of a similar attack they have just experienced firsthand using an evolved account recovery 2FA code verification method without the AI component and involving a human hacker on the other end of the line.

The Attack Details

Going by the name of EvilKittensCo on Reddit, the poster explained that they had been on the receiving end of a telephone call from someone purporting to be a Google support agent. The caller explained that they needed to verify his Gmail recovery details in order to regain access to his account.

The attacker told them that if they didn't provide their 2FA code, their account would be permanently compromised and deleted. Of course, this is a classic phishing tactic designed to scare the victim into divulging sensitive information.

How To Protect Yourself

Google's Richendrfer recommends that all Gmail users “set up a recovery phone as well as a recovery email on their account,” which can then be used where an attacker changes credentials or even if you just forget your own password.

Yes, that happens, and here’s a big hint to prevent it: use a password manager, m’kay. Anyway, back to the point, as you are the legitimate and original Google account holder, you get a whole week, seven days, in which you can regain control of that account even if an attacker has changed your recovery telephone number.

“Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” Richendrfer said, “provided they set them up before the incident.”

Recovering Your Account

To add or change a recovery phone number or email on Android, open your device settings app, hit Google, followed by your name, and the Manage your Google account option. Now head for the security section, where it says “how you sign into Google,” and you can select options for a recovery phone or recovery email.

You will likely be asked to sign in before getting any further, but the selection process is very straightforward and takes no time at all. You can find more details on recovering a Google account following a successful Gmail hack here.