Why those 'your password wasn't changed' emails from Google are actually a scam — and how to spot the real ones

The scam making the rounds

If you’ve received an email recently that says “Someone requested a password change for your Google Account and this change was not made,” and it had a link to click if you didn’t request it — you’re not alone. This particular format has been circulating widely in New Zealand since March 2026, and it’s catching people who consider themselves reasonably security-aware.

The emails look like this:

“We received a request to change the password for your account. If this wasn’t you, click here to secure your account.”

The real Google emails look almost identical. That’s intentional.

How to tell the difference

The sender address. Real Google emails come from no-reply@accounts.google.com. Scam emails typically come from something like google-support@mail.ru or security@google-accounts.info. Always check the full sender address, not just the display name.

The link destination. Before clicking any link in an email, hover your mouse over it (don’t click) and look at where it actually goes. Real Google password change links go to accounts.google.com. If the URL is something like google-secure-login.com or a shortened link, do not click.

Urgency and threat. Scam emails often create urgency — “act now or your account will be suspended.” Real security emails from Google are calmer and don’t threaten immediate account closure.

Requests for your password. Google will never ask you to send your password in an email, or ask you to enter your password via an email link. If an email is asking you to do either of these things, it’s a scam.

What to do if you received one of these emails

If you didn’t request a password reset, the safest response is to open a new browser tab and go directly to myaccount.google.com to check your security settings — don’t use any link in the email. [1]

If you did click and entered details somewhere, change your password immediately and check your recent account activity for anything suspicious. Enable two-factor authentication if you haven’t already. [2]

If you’ve received the email but didn’t click anything, mark it as spam and delete it.

The broader pattern

This scam works because it exploits trust in a well-known brand and a genuinely anxiety-inducing situation — the thought of someone getting into your email. The same format is used with Microsoft, Netflix, ANZ bank, and NZ Post. The format changes but the psychological lever is always the same.

---

What to take away from this

• Phishing emails that impersonate Google password reset notifications have been circulating in New Zealand since March 2026 — they catch even security-aware people

• The only reliable way to check your account status is to open a new tab and navigate directly to accounts.google.com — never click links in unsolicited security emails

• Check the full sender address before considering any email legitimate — scam addresses typically come from free email domains or look-alike domains

• Hover over any link before clicking to reveal the actual destination URL — real Google links always go to accounts.google.com

• The same psychological pattern is used across Microsoft, Netflix, ANZ, and NZ Post — learning to spot the Google version protects you against the others

• When in doubt: open a new browser tab and navigate directly to the service an email is asking you to act on — never use a link in an unsolicited message to access sensitive accounts. For a practical starting point on passwords and authentication, see our Passwords, Passphrases and MFA guide.

Sources and references

[1] New Zealand. National Cyber Security Centre. Phishing and scam guidance. https://www.ncsc.govt.nz/

[2] Google. Google Account Security Settings. https://myaccount.google.com/security