Key Takeaways
- Scammers are calling and emailing people with fake "Digital Legacy" or "Death Certificate" notices claiming their Google account is being closed.
- The attack uses legitimate Google infrastructure — links go to sites.google.com — so standard spam filters let it through.
- The end goal is not just your password. Victims are tricked into creating a passkey that gives attackers permanent access, bypassing both your password and two-factor authentication.
- Google will never call you about your account status. Any unsolicited call or email claiming otherwise is a scam.
What Is Happening
A new phishing campaign is targeting Google account holders with a message designed to trigger immediate panic: a "Digital Legacy Request" or "Death Certificate" has been filed against your account, and unless you verify you are alive, your account will be closed. The message arrives either as an AI-generated phone call or a convincing email. Both direct you to a URL that appears to be on Google's own infrastructure.
That is not an accident. The fake verification pages are hosted on sites.google.com — Google's free website builder. Because the domain is legitimately owned by Google, most spam filters pass it without a second look, and most users see "google.com" in the address bar and assume they are safe. They are not.
What They Actually Want
The goal of this attack goes beyond stealing your password. The fake site asks you to "verify" your identity by signing in or approving a security request. If you comply, you may be tricked into creating a passkey — a credential that allows the attacker to log into your account in the future without needing your password or your two-factor authentication code at all. A stolen passkey is significantly harder to detect and remove than a stolen password, because most people do not regularly audit the passkeys registered on their account.
Three Warning Signs
The following indicators should stop you cold regardless of how convincing the message looks.
| Warning Sign | What It Means |
|---|---|
| Google called you | Google does not make unsolicited calls about your account. Full stop. Any call claiming to be Google support discussing your "legacy" or "death certificate" is a scam. |
| The link goes to sites.google.com | Real Google account security pages live at myaccount.google.com. A security alert hosted on sites.google.com (the free website builder) is a red flag, regardless of how official it looks. |
| You are asked to approve a prompt you did not trigger | If anyone on a call asks you to approve a security prompt, read back a code, or "confirm" a sign-in request you did not initiate, they are attempting to break into your account in real time. |
What to Do Right Now
If you received one of these messages and did not interact with it, delete it and move on. If you received it and clicked through or approved anything, take these three steps immediately.
Go directly to your Google account security page. Open a new browser tab and type myaccount.google.com/security manually — do not click any link in the suspicious message. Review your recent sign-in activity and look for devices or locations you do not recognize.
Audit your passkeys. Navigate to myaccount.google.com/passkeys and delete any passkey registered to a device you do not own. If you see an entry you do not recognize, remove it immediately and change your password.
Review your two-factor authentication settings. Check that no unauthorized phone number or authenticator app has been added to your account. If you use SMS-based 2FA, consider switching to the Google Authenticator app in offline mode — this prevents your codes from being intercepted even if your Google password is compromised.
If Your Google Authenticator Backs Up to the Cloud, Act Now
There is a less obvious but serious exposure that most people overlook. If you use Google Authenticator with cloud backup enabled — which became the default when Google added the sync feature in 2023 — and an attacker has compromised your Google account, they may now have a copy of every two-factor authentication code stored in your Authenticator app. That includes codes for your email, social media, banking, and any cryptocurrency accounts you have protected with it.
The reason this matters is that Google Authenticator's cloud backup stores your TOTP secrets (the seed values that generate your rotating codes) in your Google account. If that account is in an attacker's hands, even temporarily, those secrets may have been copied. Changing your Google password after the fact does not invalidate codes that were already synced.
What to do: After you have locked out any unauthorized passkeys and secured your Google account, open Google Authenticator, go to Settings, and turn off cloud backup. This stops any further syncing. Then work through every account stored in the app — email, social media, financial accounts, crypto exchanges — and re-enroll two-factor authentication from scratch. Each site will give you a new QR code that generates a new secret, invalidating whatever the attacker may have copied.
If that process is too time-consuming, switching to a different authenticator app entirely — such as Microsoft Authenticator — accomplishes the same goal, because you will be generating new secrets for each account during the re-enrollment process. The replacement app does not need to be technically superior; the point is that you are issuing new codes that the attacker does not have. Whichever path you choose, prioritize your highest-value accounts first: cryptocurrency exchanges, financial institutions, and your primary email.
If you are unsure whether your account was compromised, or if you want help locking down your Google Workspace or personal Google account, a cybersecurity review can walk through your current settings and identify any open doors. This particular attack is effective precisely because it looks legitimate. The best defense is knowing what legitimate Google security communications actually look like — and they do not include unsolicited phone calls.
Written by Robert Brake
Robert Brake is a computer technician and IT consultant with over 30 years of experience, currently serving small businesses and home users in Westchester County, NY. He is the founder of Metro North Computer Consulting.