Tech headlines are abuzz this morning about a new AI scam targeting Google users. Forbes published a piece detailing two experiences with scammers, both of which involved likely AI-generated phone calls and multi-step schemes. Here’s the thing, though: These scams aren’t necessarily “new,” and you should be wary of them—whether the actor purports to be from Google or not.
Watch out for these Google Account scams
Forbes’ reporting highlights two specific but similar examples of this type of scam: One victim, Sam Mitrovic of Microsoft, received an alert regarding an account recovery request, which, when legitimate, are usually triggered when someone forgets their password. Because unprompted account recovery requests are often malicious in nature, Mitrovic ignore the alert, but received a phone call from “Google Support” just 40 minutes later. Mitrovic ignored this call, too, but soon after, received another alert followed 40 minutes later by a “Google Support” call.
This time, Mitrovic answered, to find a “representative” with an American accent who asked if Mitrovic had traveled recently, particularly to Germany. The answer was no, which lead the representative to warn Mitrovic that someone had been accessing their account from Germany for the past seven days, and had already downloaded data from the account. Mitrovic even googled the phone number “Google Support” was calling from, and found it lead to this official Google Support page. At first glance, you might think that confirms this is actually Google Support, but read the page closer, and you’ll see this phone number is the number Google Assistant calls businesses from, not Google Support. This was, in the end, a scam.
Forbes’ other example concerns Garry Tan, founder of Y Combinator, who reports he was also targeted in a similar scam. Tan also received a call from “Google Support,” claiming that they had Tan’s death certificate, and a family member was trying to use it to access Tan’s account. Google Support was calling to both confirm that Tan was actually alive, and to share an account recovery request that Tan could use to “confirm” his account was active. That last bit is the real scam: Tan highlights that the account recovery request was definitely fraudulent, as the “device” the request was coming from said Google Support, not an actual device. Someone is spoofing that field, and if Tan had hit “Yes, it’s me” on the alert, the attacker would have been able to reset the password on Tan’s Google Account.
This Tweet is currently unavailable. It might be loading or has been removed.
While it can’t be confirmed, it appears the phone calls used in each example were AI-powered. Mitrovic and Tan both confirm the voices were convincing, but in Mitrovic’s case, the “caller” said “hello,” and, after no response, said “hello” the same way again. That, coupled with perfect pronunciation and spacing, convinced Mitrovic the voice was actually AI—telltale signs of generative AI-powered audio.
In practice, this scam is nothing new
While the news is buzzing about this new type of AI-powered scam, the underlying tactics here are pretty classic. You can protect yourself by knowing what to look out for, whether the attackers use AI or not.
First, big tech companies like Google simply don’t call you out of the blue to warn you about a potential security breach with your account. In fact, Google, and companies like it, are notorious for their lack of human-based support in general. If you can’t get in touch with a real person when you knowingly need help, there’s no shot a Google rep is going to reach out to you first. So, whether it’s a convincing AI-powered voice on the other end of the phone, or a pretty terrible human actor pretending to be a live Google representative, receiving a call from a company like this should be a large enough red flag to ignore the situation.
On the flip side, we have the account recovery request. This is a textbook scam method: Trigger an account recovery alert on the user’s end, and convince them accepting it means they’re confirming their identity. That is simply not what this system is designed for, and it’s what hackers are counting on you to fall for. Account recovery requests are supposed to be triggered by you whenever you are otherwise unable to access your account, perhaps in the event that someone has actually hacked your account. You tell Google that, and they send an account recovery request to your attached email address. You open that email, click “Yes, it’s me,” and you’re able to continue on with your account recovery process. No one else is involved in the process, and the request isn’t used for any other purpose.
Hackers, however, will pretend to be from Google Support, and say that this account recovery request is just a way to confirm your identity, or that your account is active. However, when you click that “Yes, it’s me” button, what you’ve done is trigger the account recovery process on their end. They now have the power to get into your account, and potentially lock you out of it and steal your information.
Bottom line: If you did not trigger that account recovery alert yourself, it’s not legitimate. Do not click on it.
If you’re worried about being hacked
If you receive a phone call or a message like this, it’s likely a bad actor looking for a phishing victim. Without your input, they will simply move on to another victim. However, it’s not a bad idea to run through some steps to make sure your account is actively protected.
Focusing on Google, you can go to your Google Account’s Security settings page to review a dashboard of your account’s security health. Here’s where you’ll see all your active sessions, whether Google has any security alerts for you to manage, and settings for things like two-factor authentication, passwords, passkeys, recovery emails, and phone numbers, among others.
If you’re worried about your account’s current security level, look at your active sessions: This is where you’re currently logged into. If you don’t recognize a device or a location, you can click on it and sign that device out of your account. Just know if you’re using a VPN, or Apple’s iCloud Private Relay, you may see sessions from unknown locations on your trusted devices, as these services obfuscate where your actual internet traffic is coming from.
In addition, it’s a great idea to change your password every now and then, and ensure you’re using two-factor authentication (2FA). That way, if an attacker does figure out your password, you have a secondary authentication step that requires a trusted device—something the attacker likely does not have. Consider setting up passkeys as well, which combined the best of both worlds between passwords and 2FA.
At the end of the day, attackers employing these scams can’t actually break into your account themselves—that’s why they’re targeting you. They need you to click on their malicious links or authenticate yourself on their behalf. So long as your password is strong, and you have other forms of authentication as a backup, the best way to avoid being a victim in these types of scams is to simply ignore them.