Security experts have warned about a new phishing campaign that uses a fake security page designed to mimic the account protection system of Google. The fraudulent page tricks users into believing they are completing a legitimate security verification, while secretly attempting to steal passwords and sensitive personal information.

According to cybersecurity researchers at Malwarebytes, the scam is designed to closely imitate official Google account security checks. The attackers rely on convincing visuals and familiar prompts to persuade users that their accounts may be at risk and require immediate verification.

The phishing attack typically begins when users land on a page that appears to be an authentic Google security alert. The site instructs victims to follow a verification process to secure their accounts. However, instead of protecting the account, the process installs a malicious application on the user’s device.

Researchers explain that the scam installs a rogue Progressive Web App, which can appear like a normal application on a device. Once installed, the malicious app may capture login credentials, track user activity, or collect sensitive personal information.

To make the scam more convincing, the attackers use domain names that resemble official Google websites. One example reported by security researchers includes deceptive domains such as google-prism.com, which visually appear legitimate to unsuspecting users.

Because these pages look almost identical to real Google interfaces, many users may not immediately recognize the threat. The attackers rely on urgency and fear, encouraging users to act quickly to “protect” their accounts.

Cybersecurity experts warn that phishing campaigns are becoming increasingly sophisticated. Modern scams frequently combine realistic website designs, fake security alerts, and malicious apps to bypass traditional security awareness.

Users are advised to verify website addresses carefully before entering login credentials. Official Google security checks will always be conducted through legitimate domains associated with the company, and users should avoid downloading apps or extensions prompted by suspicious websites.

Experts also recommend enabling two-factor authentication, keeping browsers updated, and using trusted security software to reduce the risk of such attacks.

As phishing techniques continue to evolve, staying informed about emerging cyber threats remains one of the most effective ways to protect personal data and online accounts.