If you’re a Gmail user (there are nearly 2 billion of us), you’ll want to be aware of a new “super realistic AI scam.”
In a recent blog post, Microsoft solutions consultant Sam Mitrovic shared how he recently encountered a scam attempt that was surprisingly real.
Also: Internet Archive’s Wayback Machine is back up after data breach – with a catch
The scam started when Mitrovic received a notification that he needed to approve a Gmail account recovery attempt. A message saying that you need to approve a login attempt or password change, real or fake, is how many scams start. A little more than 30 minutes later, he received a call from a real Google number in Sydney, Australia that he ignored.
A week later, he received an identical notification followed by another phone call. This time, he picked up. The American voice on the other end, Mitrovic said, explained there was some suspicious activity on his Google account and someone had accessed it a week ago. The apparent Google employee offered to send an email detailing what happened, and that message promptly arrived from an official Google address.
Also: Fidelity breach exposed the personal data of 77,000 customers – what to do if you’re affected
As Mitrovic paused to read the email thoroughly, the voice on the phone said, “Hello.” 10 seconds later, it said “Hello” again with the exact same tone. At this point, he realized the voice was AI and hung up.
Had the call proceeded, it’s likely the caller would have eventually asked for an account recovery code or perhaps sent the user to a fake login portal.
Mitrovic offered a few indicators that tipped him off to the potential scam. Here’s what you should be aware of to stay safe:
-
Google sent an account recovery notification when the account holder didn’t request one.
-
Google doesn’t call personal users, only Business Profile users.
-
When he checked his recent logins (you can do this by going to your profile, then “Security,” then “Recent security activity”) there was nothing out of the ordinary.
-
A reverse search showed other people receiving the same scam call.
-
Viewing the full email header (which you can do by clicking “more” next to the reply button and “show original”) showed that the “from” address was actually different.
-
The “to” field showed another email address that wasn’t his.
Maybe the biggest tip-off was that Google support (or any other tech support for that matter) will not contact you out of the blue to tell you there’s a problem. If something seems fishy, it’s always best to err on the safe side and end communication until you can figure out more.
Also: 1 in 4 people have experienced identity fraud – and most of them blame AI
As AI-powered scams continue to rise, Google is fighting back. Last week, it announced Global Signal Exchange, a partnership with the Global Anti-Scam Alliance and DNS Research Federation to fight scams. The GSE is a real-time information-sharing platform that allows insight into the cybercrime supply chain, hopefully allowing for faster identification of bad actors.