A sophisticated AI scam targeting Gmail users has surfaced, tricking people into sharing personal data by approving fake account recovery requests.
Over 2.5 billion Google users have fallen prey to this attack.
In order to raise awareness about the scam, IT consultant Sam Mitrovic has shared his own experiences with it, highlighting the deceptive tactics which were used to gain access to users’ private information.
How does the scam work?
The scam begins with an unexpected notification on your phone or email, asking you to approve a Gmail account recovery request that you have never originated.
This often originates from a different country; Mitrovic’s country, this was the United States.
If you decline the request, as Mitrovic, the scammers make a second move around 40 minutes later with a phone call from what is seemingly an official Google number, with the caller ID appearing to be from a Google office.
Mitrovic reported that the call sounded alarmingly “legit”. Using a professional American voice, the caller politely informed the target about potentially suspicious activity on their Gmail account. They asked him if he logged in from a foreign country and informed him that someone has had access to his account for a week and that they have downloaded the account data.
Throughout the call, there were background noises strikingly reminiscent of a call center.
The goal was to convince the target to approve the account recovery request, which would then give scammers complete access to their Gmail account.
Scam Discovery:
According to Mitrovic, these were some key giveaways that led him to deduce that the call was a scam:
- He received account recovery notifications which he didn’t initiate.
- Google doesn’t call Gmail users if you don’t have Google Business Profile connected.
- The email contained a To email address not connected to a Google domain.
- There were no other active sessions on my Google account apart from his own.
- Email headers showed how the email was spoofed.
- Reverse number search showed others who received the same scam call.
Others share similar experiences:
Mitrovic was one of the numerous people to be targeted. While he successfully realized that it was AI, he has asserted that this call is “legitimate enough to trick people”.
Garry Tan, the founder of venture capital firm and startup accelerator Y Combinator, took to X (formerly Twitter) to report a similar scam where someone created a false scenario of a family member attempting to recover his account.
Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
DO NOT CLICK YES ON THIS DIALOG— You will be phished
They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8
— Garry Tan (@garrytan) October 10, 2024
Likewise, several users from Reddit also shared their experiences with the scam.
Takeaway:
This is the concluding message Mitrovic has highlighted from the recent AI attack:
“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.
People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.
There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.”
Get more details about his experience here.
Leave feedback about this