Home Can you be phished when logged in via Google/Facebook?

Can you be phished when logged in via Google/Facebook?

user profile picture iSecurityGuru May 08, 2022
5 10
placeholder image

Let’s say you went to a website that allowed you to log in using your Google account:

When you pressed the “Log in with Google” button, you saw this:

You had checked that the pop-up web-browser window is really at Google’s domain (“”) . So, you entered your Google account name (i.e. your Google email), password and 2-step-verification code.

You should be safe and secure right?


It is still possible that you were phished. In this hypothetical example, even using 2-step verification could not save you. As I wrote before in “You can be phished even when you see “” in address bar.

What happened was that the pop-up window was actually not a web-browser window. It was a realistic render of a web-browser window within the web page.

Take a look at this video to see how realistic the rendering of the fake web-browser window can be:

Recently, someone had released a programming toolkit to create renderings of fake web-browser window for the purpose of phishing. This toolkit makes it extremely easy for miscreants to carry out such phishing attacks.

How can I protect myself?

As I wrote before, a password manager can protect you from such phishing attack. Many password managers (e.g. LastPass, 1Password, iCloud Keychain, and even your web-browser’s built-in password manager) can fill in the password field for you. They will only fill in the correct password when you are at the correct website domain. They cannot be fooled by phishing tricks designed to deceive the human eye.

About the Author

user profile picture

Terence Kam is the founder of and cybersecurity consultant at You can follow his company on LinkedIn or subscribe to his writings on SubStack, where he writes on a wide variety of topics.

5 1 vote
Content Rating
Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Collapse all threads
Would love your thoughts, please comment.x