About admin alerts for suspicious login activity
If you're using a personal Google Account, you can investigate suspicious activity on your account.
As a Google Workspace administrator, you can use email alerts to notify you if there's suspicious sign-in activity for your users. For example, Google might notice a sign-in attempt that doesn't match a user's normal behavior. Usually, before Google sends you an alert, Google presents the user with an extra security question or challenge. If the user fails or abandons the challenge, the Google sends you the alert. The alert warns you that someone has the suspended user's password. For more information, go to Administrator email alerts.
Examples of suspicious logins
- A user doesn't follow their usual sign-in pattern, such as a signing in from an unusual location.
- There was a successful sign-in from a suspended user's account.
Note: You might also get an alert if a suspicious event occurs when a user is using Mail Fetcher to import mail from another Gmail account, because the messages are being fetched through Google servers.
Investigate suspicious login activity
- Ask the user with the suspicious login if they remember signing in. They can check their last account activity if they're unsure.
- If you can't establish the legitimacy of the sign-in, follow the Administrator security checklist.
- Reset the password of any account with suspicious activity.
Note: Google Workspace Support can't investigate alerts that originate from suspicious login activity, because user activity logs are sensitive and potentially private.
Stop incorrect suspicious login activity alerts
- If you find that a suspicious login activity is actually a legitimate sign-in by a user, we recommend enrolling that user in 2-Step Verification.
- To reduce these alerts for your organization, consider enrolling all of your users in 2-Step Verification.