The short answer
If you entered your password into a phishing site, act in this order: change your Google password from a device you trust, sign out of all other sessions, revoke any third-party app access you do not recognise, and check Gmail for forwarding rules or filters the attacker may have planted. Then change that same password anywhere else you reused it, because that is now the biggest risk. The single most important fact: if you had 2-step verification (2FA) switched on, the attacker who captured your password almost certainly could not get in, because they did not have your second factor. Your job now is to confirm that and close the remaining doors. This guide walks through the full incident-response checklist for both personal Gmail and Google Workspace accounts, explains the one question that tells you how exposed you are, and shows you how to know for certain whether anyone actually logged in.
The scenario: how a normal day turns into a security incident
Picture a small business owner. A new enquiry arrives through a contact form or an inbox, polite and professional. The sender wants to discuss a project. After a couple of friendly messages, they send a link to "book a time that works for you." The link looks like a normal scheduling page. The branding is right. The address even contains the name of a recognised scheduling tool.
The page loads and asks them to "sign in with Google" to confirm the meeting. There is no option to just type a name and email the way a real booking page works. A Google login box appears. They type their email. They type their password. They hit enter.
Nothing obviously bad happens. A few minutes later, a polished confirmation email lands in the inbox, apparently from the scheduling tool, confirming a meeting. It looks completely legitimate, which is the most dangerous part of the whole thing, because that confirmation is engineered to make the victim think "it worked, it was real after all," so they relax and do nothing.
By the time they realise the login page was fake, the password is already gone. They typed their Google credentials directly into an attacker's form.
This is not a rare or exotic attack. It is one of the most common ways accounts are stolen in 2026, and the rest of this article is the playbook for what to do the moment you realise it has happened to you.
Why this attack works so well in 2026
The reason this keeps working is that the economics have flipped entirely in the attacker's favour. A few numbers tell the story.
Phishing that specifically targets accounts already protected by multi-factor authentication, known as Adversary-in-the-Middle (AiTM), rose 146% year over year, according to Microsoft's 2025 Digital Defense Report as analysed in industry phishing statistics for 2026. Microsoft attributes 80% of MFA-bypass breaches to this single pattern, and tracked over 10,000 AiTM attacks per month against its users.
The tooling has been commodified. By mid-2025, a single phishing-as-a-service kit called Tycoon 2FA accounted for roughly 62% of the phishing volume Microsoft blocked. These kits, with names like Tycoon 2FA, Mamba 2FA, Evilginx, and Sneaky 2FA, rent for $120 to $350 a month per WorkOS's 2026 analysis of MFA-bypass attacks. For the price of a streaming bundle, anyone can run a professional credential-harvesting operation.
The wider shift is away from malware entirely. CrowdStrike's 2026 Global Threat Report found that 82% of detections in 2025 were malware-free, meaning attackers are increasingly stealing identities rather than planting viruses. They do not need to break into your computer. They just need you to type your password into the wrong box once.
And the lures are better than ever because they are written by machines. AI-generated phishing messages now make up the majority of phishing email, and they are clicked far more often than the clumsy human-written attempts of a few years ago. The grammar is perfect, the tone is right, and the pretext is tailored. The era of spotting phishing by its spelling mistakes is over.
How the attack actually works, step by step
Understanding the mechanics tells you exactly which doors to close. Here is the full chain.
The pretext. The attacker opens a normal-looking conversation: a new lead, a partnership enquiry, a recruiter, an invoice query. They invest a message or two building trust before the payload. Real conversations lower your guard.
The lookalike link. They send a link that looks like a known scheduling or document tool. The trick is usually in the domain. A real Calendly link is always
calendly.com/username. A phishing version might readsomedomain.com/calendly/?token=..., where "calendly" is just a folder name on a server the attacker controls, dressed up to look official. The?token=part tags you as the specific target who clicked.The forced Google login. The fake page demands that you "sign in with Google" and gives you no option to simply type your email into a form. This is the tell that matters most. Real scheduling tools never need your Google password to book a meeting. They ask you to pick a slot and type your email into a plain field. A page that forces a Google password prompt to do something that does not require one is harvesting credentials.
Credential capture. When you type your email and password, the fake page records them. In the simplest version of the attack, that is all it does: it now has your password string.
The Adversary-in-the-Middle upgrade. The more dangerous version puts the attacker's server invisibly between you and the real Google login. As you type, the kit relays everything to the genuine Google page in real time. If Google then asks for your 2FA code, the fake page asks you too, passes it through, and captures the session cookie Google issues after you pass 2FA. That cookie is a valid, already-authenticated session. Replaying it lets the attacker into your account without triggering another 2FA prompt. This is how modern phishing defeats two-factor authentication, and it is why a stolen session is more valuable than a stolen password.
The reassurance. To stop you acting, the attacker often completes the illusion: they redirect you to a real booking page, or send a genuine-looking confirmation email. You think the meeting is real and you do nothing. Meanwhile they are either already inside or testing your password elsewhere.
The whole sequence can take less than a minute of your time and gives the attacker everything they need.
Static phishing vs Adversary-in-the-Middle: the one question that decides your risk
Not every attack is equally serious, and one question sorts them. After you entered your password, were you asked for a second step, a six-digit code, a "tap yes" prompt, or any verification beyond the password?
| What happened | What the attacker got | How exposed you are | |
|---|---|---|---|
| Static credential theft | The fake page asked only for email and password. No second step. | Your password string. | Low, if 2FA is on. Your second factor blocks login. The captured password is now changed and useless. |
| Adversary-in-the-Middle | The fake page also asked for a 2FA code or prompted a "tap yes," then seemed to succeed. | Your password AND a live, authenticated session cookie. | High. They may have an active session that bypasses 2FA. You must kill all sessions immediately. |
If you only ever typed your email and password and were never prompted for a code, your 2-step verification almost certainly shut the attacker out. The captured password, once changed, is worthless to them.
If you were prompted for a code and entered it, treat the account as potentially having an active hijacked session and prioritise signing out everywhere, covered below.
Either way, the remediation steps are the same. The difference is only how urgently you must complete the session-killing step.
The warning signs that were missed
Hindsight is useful here only because the same tells repeat on the next attack. In the scenario above, the signs were all present:
- A folder named like a tool, on the wrong domain. "calendly" sitting as a path on someone else's website is not Calendly. Real tools live on their own domain.
- Forced Google login with no manual option. The defining red flag. Booking a meeting, viewing a document, or downloading a file should never require your Google password.
- The identity kept shifting. The first message came from one name, the booking confirmation showed a different name. Mismatched identities across one interaction is fraud.
- The meeting time was odd. A slot in the middle of the night for the victim's timezone, because the attacker is elsewhere and the scheduling is automated.
- The questions went unanswered. When asked normal qualifying questions, the "lead" ignored them and pushed the link instead. Real prospects answer questions; phishers redirect you to the payload.
None of these requires technical knowledge to spot. They require only the habit of pausing before you type a password.
The first ten minutes: the emergency checklist
Speed matters most in the first few minutes. Do these two things before anything else, ideally from a different device you know is clean (your phone, if the click happened on your laptop).
1. Change your Google password
Type the address yourself, do not click a link in any email: go to myaccount.google.com, then Security, then Password. Choose a long, unique password you have never used anywhere else.
Changing your password does two things at once. It locks out anyone holding your old password, and on Google it automatically signs out most other active sessions, which begins to invalidate any stolen session cookie. Google's own guide to securing a hacked account makes this the first step for exactly this reason.
2. Sign out of all other sessions
Go to myaccount.google.com/device-activity. Review every device and session listed. Sign out anything you do not recognise. If you suspect an AiTM attack captured a session cookie, this is the step that kills it. A password change usually triggers this automatically, but confirm it manually so there is no doubt.
These two steps, done quickly, close the main door in almost every case. Everything below makes sure no window was left open.
Revoke third-party app access (this is not the same as app passwords)
This is the step people most often get wrong because two different things share similar names.
- App passwords are credentials you generate so an older app can log in to your account. You may have already deleted unused ones, which is good.
- Third-party app access (OAuth) is a list of apps and services you granted permission to read your mail, calendar, or files. This is where a consent-phishing attack hides, because in some versions of the attack you do not give up your password at all, you click "Allow" on a real Google permission screen for a malicious app.
Check the OAuth list: go to myaccount.google.com/permissions. Review every app with access to your account. Remove anything you do not recognise or no longer use. Pay special attention to anything granted "full access" to your Google Account or broad access to Gmail. If you are not sure whether something is legitimate, remove it; a real app you use daily will simply ask you to reconnect.
Doing both, deleting stray app passwords and revoking unknown OAuth access, covers both the password-theft and the consent-phishing versions of the attack.
Hunt for attacker persistence in Gmail (the steps people skip)
A clever attacker who gets even brief access will try to keep it after you change your password. The most common way they do this in Gmail is by setting up quiet rules that survive a password reset. These are the steps most guides leave out, and they are the ones that catch a determined intruder.
Check all three of these in Gmail settings:
1. Forwarding. Settings → Forwarding and POP/IMAP. Look for any forwarding address you did not add. Attackers set up auto-forwarding to siphon a copy of every email you receive to an address they control.
2. Filters. Settings → Filters and Blocked Addresses. Look for filters that automatically delete, archive, mark as read, or forward mail, especially any filter matching words like "security," "password," "login," or your bank's name. Attackers create these to hide Google's own security alerts from you so you never see the warning that your account was accessed. Security vendor Push Security documents this exact technique in their guide to malicious Gmail filters.
3. Send-as addresses. Settings → Accounts and Import → Send mail as. Look for any address you did not add. An attacker who can send mail "as you" can run invoice fraud against your contacts from your own identity.
Delete anything in these three places that you did not set up yourself. This is the difference between locking the front door and also checking that nobody left a window unlatched.
Regenerate backup codes and audit app passwords
Two quick housekeeping steps to remove anything the attacker might have grabbed if they had any access.
- Backup codes. If you use 2-step verification backup codes, regenerate them at
myaccount.google.com→ Security → 2-Step Verification → Backup codes. Generating a new set instantly invalidates the old set, so any codes that may have been captured become useless. - App passwords. Same area, App passwords. Review the list. Delete any you do not actively use, and any you do not recognise. Each app password is a way into your account that bypasses 2FA, so a short, known list is much safer than a long, forgotten one.
Check your recovery email and phone
Attackers frequently try to change your recovery options so they can reset your password later, even after you lock them out now. Go to myaccount.google.com → Security and review your recovery email and recovery phone. Confirm both are still yours and that nothing unfamiliar has been added. If anything was changed, restore it to your own details immediately. This closes the back door that would otherwise let them walk straight back in next week.
How to know for certain whether anyone actually got in
After the lockdown, the natural question is "did they actually access my account, or did 2FA stop them?" You do not have to guess. There are three independent places to check, in order of how reliable and easy they are.
1. Gmail's "last account activity" (works on every account, cannot be hidden)
This is the most reliable check because it shows IP addresses and it cannot be turned off by any setting. Open Gmail in a web browser on a computer, scroll to the very bottom of the inbox, and find the small grey text in the bottom right that reads "Last account activity." Click Details.
A window opens showing recent sessions: the access type (browser, mobile, IMAP), the location and IP address, and the time. Scan the last day or two. If every entry matches your own location and devices, your 2FA held and nobody got in. If there is a sign-in from a country or IP you do not recognise, that is an intruder. The same window has a "Sign out all other web sessions" button; use it.
2. Your devices and security activity
myaccount.google.com/device-activity shows everything currently signed in. myaccount.google.com/notifications shows recent security events such as new sign-ins, password changes, and 2FA changes. Review both for anything you did not do.
3. The admin console login audit log (Google Workspace only)
If you are on Google Workspace, the audit log is the authoritative org-level record. The menu was reorganised recently, so the path is now: admin.google.com → Reporting → Audit and investigation. That page opens on a default data source, so use the data-source selector to switch to Login log events. Filter by the affected email, set the time range to the last day or two, and look for Login Success events from unfamiliar IPs or locations. This tells you definitively whether the attacker completed a login. Google documents this process in its guide to identifying and securing compromised accounts.
If all three sources show only your own activity, you can be confident the attacker captured a password that your 2FA rendered useless.
The blast radius you might be forgetting: password reuse
Here is the part people overlook because they fixate on the Google account. Once your Google password is changed, the single biggest remaining risk is everywhere else you used that same password.
The attacker now holds the exact password string. Within hours, automated tools will try it against every major service tied to your email address: your bank, your payment processor, your hosting provider, your code repositories, your social accounts, your domain registrar. This is called credential stuffing, and it works because so many people reuse passwords. Industry reporting found that a striking share of breached credentials are reused across services, which is precisely why one stolen password becomes many compromised accounts.
So the action is simple and urgent: if that Google password (or a close variant) is used anywhere else, change it there now, with a unique password per service. For a business owner, that especially means payment systems, hosting and cloud accounts, your domain and DNS, and anything that controls money or your website. A password manager makes "unique password per service" practical; without one, prioritise the accounts that touch money and infrastructure first.
This is the step that turns a contained incident into a fully closed one. Locking the Google account while leaving the reused password live elsewhere is like changing your front door lock but leaving the same key under the mat at every other property you own.
If you are a Google Workspace administrator
A Workspace admin has more power to respond and more responsibility, because a compromised account can be a doorway into the whole organisation. If the affected account is yours as admin, or belongs to someone in your org, do the following in addition to everything above.
| Action | Where | Why |
|---|---|---|
| Force sign-out / reset sign-in cookies | Admin console → the user → Security | Invalidates every active session and stolen cookie org-side, not just user-side |
| Force a password reset | Admin console → the user → Reset password | Guarantees the credential change even if the user is locked out |
| Review the admin audit log | Reporting → Audit and investigation → Admin log events | Catches any settings the attacker changed: new users, role grants, sharing rules |
| Check for new or elevated users | Directory → Users | Attackers create backdoor accounts or grant themselves admin roles |
| Review email routing and compliance rules | Apps → Google Workspace → Gmail → Routing | Org-level forwarding rules are a stealthier version of the per-mailbox trick |
| Confirm 2-step verification is enforced | Security → Authentication → 2-Step Verification | Enforcement, not just availability, is what stops the next attack |
Google's official Workspace guidance for compromised accounts is the canonical reference, and a Workspace admin should treat one phished user as a prompt to verify these controls across the whole domain, not just the single account. If your business depends on this account for email, billing, and infrastructure, this is also the moment to consider professional help locking down the wider stack; this is the kind of work we cover when we harden a client's systems.
How to make sure it never works on you again
Cleaning up is reactive. These changes make the next attempt fail before it starts.
- Move to passkeys or phishing-resistant 2FA. A passkey or a hardware security key is bound to the real website's identity, so it simply will not authenticate on a fake lookalike page, which defeats even AiTM attacks. This is the strongest single upgrade you can make. The FIDO Alliance explains how passkeys remove the phishable shared secret entirely.
- Adopt the one unbreakable rule. No legitimate service ever needs your Google or Microsoft password to let you book a meeting, view a document, or download a file. The moment any "scheduling link" or "shared file" demands your email login, stop. That is the attack, every time.
- Check the domain, not the design. Branding is trivial to copy. The domain in the address bar is the truth. Real tools live on their own domain (
calendly.com, notsomesite.com/calendly). - Use a password manager. It gives every site a unique password, so one stolen credential cannot cascade, and it will refuse to autofill on a lookalike domain, which is a quiet but powerful phishing check.
- Treat unsolicited links as suspicious by default. A link from a new contact, even a friendly one, earns a second look before you click, and a third look before you ever type a password.
For businesses, these habits matter beyond one account. The same discipline that protects your inbox protects your website, your hosting, and your customer data, which is why we treat account security as part of the same conversation as WordPress security and site reliability.
FAQ
I entered my password into a phishing site but I have 2-step verification. Am I safe?
Almost certainly, if it was a static phishing page that only captured your password. Your 2FA second factor blocks the login, and once you change the password the captured one is useless. The exception is an Adversary-in-the-Middle attack that also prompted you for a 2FA code and captured the resulting session cookie. If you were asked for a code after the password, sign out of all sessions immediately to kill any active session. Either way, change your password and run the checklist in this article.
How do I know if it was a normal phishing page or an Adversary-in-the-Middle attack?
Ask yourself one question: after you entered your password, were you prompted for a six-digit code, a "tap yes" notification, or any second verification step? If no, it was static credential theft and your 2FA protected you. If yes, treat it as AiTM, which means a session cookie may have been captured, and prioritise signing out of all sessions everywhere.
Should I change my password even if I think 2FA stopped them?
Yes, immediately, and not only on Google. The attacker has your password string and will try it on every other service tied to your email. Change it on Google first, then change it anywhere else you reused it, especially banking, payments, hosting, and your domain registrar. Use a unique password per service.
Will changing my Google password sign the attacker out?
On Google, changing your password automatically signs out most other active sessions, which begins to invalidate any stolen session cookie. It is still worth manually signing out of all sessions at myaccount.google.com/device-activity to be certain, particularly if you suspect an AiTM attack.
How do I check if an attacker set up email forwarding or filters?
In Gmail settings, check three places: Forwarding and POP/IMAP for any forwarding address you did not add, Filters and Blocked Addresses for any rule that deletes or forwards mail, and Accounts → Send mail as for any address you did not add. Attackers use these to siphon your mail and hide security alerts. Delete anything you did not set up yourself.
What is the difference between app passwords and third-party app access?
App passwords are credentials you generate so an older app can sign in. Third-party app access (OAuth) is a list of apps you granted permission to read your data. They are different lists in different places. After a phishing incident, audit both: delete unused app passwords at the 2-Step Verification settings, and revoke unknown app access at myaccount.google.com/permissions.
I am a Google Workspace admin. What extra steps do I need to take?
Beyond the personal steps, use the admin console to force sign-out and reset sign-in cookies for the affected account, force a password reset, and review the admin audit log for any configuration the attacker changed, such as new users, role grants, or routing rules. Treat one phished user as a prompt to verify 2FA enforcement and security settings across the whole domain.
How can I stop this from ever working on me again?
Switch to passkeys or a hardware security key, which will not authenticate on a fake lookalike page and so defeat even advanced phishing. Adopt the rule that no legitimate service needs your email password to let you book a meeting or open a file. Check the domain in the address bar rather than trusting the design. And use a password manager, which gives every site a unique password and refuses to autofill on the wrong domain.
About the author
Dharmendra Asimi is the founder of Aapta Solutions, established in 2007 and now serving SMBs and growing brands across India, the United States, and the United Kingdom. Over the past twenty years he has shipped WordPress builds, e-commerce stores, managed cloud hosting, and SEO programmes for hundreds of businesses (from single-product Shopify stores to multi-region WordPress estates handling Black Friday peaks).
He is the creator of Aapta GEO (a free 30-second AI-readiness scan) and Aapta SEO AI (a monthly tracker for how ChatGPT, Claude, Perplexity, and Gemini cite your content). His writing on web engineering and AI-search visibility is read by founders, marketing teams, and SEO managers across three time zones.
Areas of expertise: WordPress development at scale · managed cloud hosting (AWS, GCP, Azure, Cloudflare) · technical SEO · Generative Engine Optimization (GEO) · AI-search citation tracking · ecommerce architecture across WooCommerce, SureCart, Shopify, and Magento · Site Reliability Engineering for content platforms · brand strategy and visual identity.
Connect: LinkedIn · X · Instagram · personal site · About page · Contact Aapta
This article is maintained as part of Aapta's content quality programme. If any data point looks stale or incorrect next time you read this, tell us and we will verify and update within 48 hours.
Need help with this?
Our team has 19+ years of experience and can help you implement everything discussed in this article.
Book a Discovery Call