Gmail users are being targeted by a new scam that exploits their own phone numbers.

The scheme, first reported on Reddit, involves a text message that appears to come from 'Gmail from Google,' warning recipients that their account has been compromised.

The message includes a link labeled 'Recover Account.' When users click it, they are prompted to enter their Gmail password, which is then captured by scammers.

In some cases, attackers can combine stolen information with personal details, like your phone number. 

They may then use social engineering to convince mobile carriers to transfer the number to a SIM card under their control, potentially giving them access to SMS-based two-factor authentication codes. 

Victims reported that these texts can look very official, often referencing prior 'sign-on attempts' from foreign IP addresses, such as those in Venezuela or Bangladesh. 

While this can heighten alarm, it is usually part of the phishing tactic. 

Once a user enters their credentials, scammers can access Gmail accounts, and if the same password has been reused elsewhere, other accounts are at risk as well. 

Cybersecurity experts stress that users need to take several steps immediately if they believe they have been targeted, including changing their Google password and enabling two-factor authentication (2FA). 

This is the first line of defense, because using a strong, unique password, and, where possible, replacing SMS-based 2FA with an authenticator app or hardware security key.

The next step is to update all other accounts that shared the same password. 

Reusing passwords across sites increases the risk of account takeover. Using a password manager can help generate and store unique, strong passwords for each account.

Experts warned of the importance of adding protections with your mobile carrier. 

Ask your provider about options such as SIM PINs, account passcodes, port freezes, or number locks. 

These measures prevent attackers from transferring your number to another SIM card.

Monitoring account activity and enabling login alerts are also crucial. 

Many services allow you to receive notifications when unusual logins occur. Early alerts can help prevent unauthorized access.

Victims should also report phishing attempts to both Google and the Federal Trade Commission. Creating an official record helps authorities track these scams and warn other users.

Experts said changing your phone number is usually unnecessary if your carrier account is properly secured. 

Simply knowing your number does not allow a scammer to bypass strong authentication. 

However, if your number is compromised or you notice service interruptions that could indicate a SIM swap, changing your number may become necessary.

Cybersecurity experts issued another warning to Gmail users in January about scams exploiting a new Google feature that lets users create a new address while keeping their old one as an alias.

The update, rolled out earlier this month, is meant to help users replace old email addresses.

But scammers are sending fraudulent emails about the change, attempting account takeovers and phishing attacks.

The messages often claim a 'Gmail address change' or request security confirmation, appearing convincing because they come from real Google addresses like [email protected] .

Victims are instructed to confirm a new address or verify their account, with links that appear like official Google support pages.

In reality, the links lead to fake websites hosted on sites.google.com, designed to mimic Google's login and security screens.

If attackers succeed, they can access Gmail and all connected Google services, including Drive, Photos, Calendar, and third-party accounts linked to Google logins.

Users are advised to delete any suspicious emails and avoid clicking on links or sharing personal information.