This sophisticated scam could easily result in the loss of your Gmail account and eventually much more
A week later, at around the same time of the day, Mitrovic once again received a notification asking him to approve a Gmail account recovery attempt which he once again refused to approve. And once again, after 40 minutes he received a phone call. This time, he picked it up and found himself talking to an American even though the call originated from Australia.
This Gmail did not come from Google which the victim realized just in time. | Image credit-Sam Mitrovic
The man on the other end of the call says that there is suspicious activity on his account. He asks Sam whether he is traveling or if he logged in from Germany. When he responds “No” to both questions (which are designed to scare the victim into thinking that his account has been compromised), Mitrovic is told that someone has had access to his account for a week and downloaded the account data.
“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale. People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it. There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.”-Sam Mitrovic, Microsoft Solutions Consultant
Mitrovic asked for an email to be sent to him to authenticate the validity of the call. While the gentleman agrees, Sam can hear on his phone the sound of someone typing on a keyboard and the general ambiance of a call center. When the email arrives, it looks legit except that one of the addresses in the “to” field, GoogleMail at InternalCaseTracking dot com, is a non-Google domain. And then it hit Mitrovic that the voice on the other end of the call was AI-generated. Not wanting to be a victim, Mitrovic hung up.
He later found that the sender email address was faked. The scammers were able to do this by using Salesforce CRM. The latter allows a user to set the sender address to any address that the user wants and have it sent via Gmail/Google servers.
What might have happened had the victim authorized the bogus Gmail account recovery notice
On Reddit, a subscriber revealed that he was the recipient of the same exact scam which he also didn’t fall for. However, not everyone was smart enough to reject the call. While doing a reverse phone number search, Sam came across a post from a victim who thought the call was from Google. And frankly, the scam was so sophisticated that no one could be blamed for falling for it.
So what might have happened had Mitrovic approved the account recovery notification is scary to think about. Had that happened, he would have lost control of his account to scammers. There were various times during this scam when a layperson probably would have given the authorization to the scammers allowing them to take over their account.
Do not agree to approve any Gmail account recovery attempt. This is a phishing attack that ultimately sends you to a fake login page where you are asked to type your legitimate credentials to report that the account recovery request you received was not sent at your request. If you’re not sure if the correspondence you receive from any company is real or not, it is always best to err on the side of caution. Get a legitimate phone number for the company from Google Search, make the call and have the company confirm that they sent you a notification or an email.