Google issues new warning for all users
There is no doubt that this year will bring serious new threats driven by AI-fueled attacks, which will become ever harder to detect and ever more damaging. But sometimes, as smart as an attack might seem, it’s stupidly simple to stop. And it has never been more critical to stick to the basics and not be sidelined by devious tactics.
So it is with a new warning from Google, after it confirmed the latest “AI driven” attack on its account holders — for which you can read Gmail. The attack was frighteningly clever, that much is beyond question, but it should have been stopped right at the start.
The intended victim was a highly tech savvy engineer, who described it as “the most sophisticated phishing attack I’ve ever seen.” I covered the attack, but it was first picked up by The Register, reporting that “Google says it’s now hardening defenses against a sophisticated account takeover scam documented by a programmer last week.”
The attack started with a call from Google’s support team, warning that someone had tried to access the would-be victim’s account overseas. The number looked legitimate and was backed up by an email from a Google domain. It went on for some time, and was only thwarted when the scam caller’s fake boss got on the line and slipped up.
But Google wants to emphasize that it should never have gotten that far; the company asked me to “please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.”
Google has suspended that would-be scammer’s account, “which abused an unverified Workspace account to send these misleading emails,” and says it is “hardening our defenses against abusers leveraging g.co references at sign up to further protect users.” That is to stop attackers mimicking Google domains. But back to basics again — it should never have happened.
Google says that “we have not seen evidence that this is a wide scale tactic,” by which it means the frightening sophistication of this attack in particular. It was complex and highly targeted. But the scourge of fraudulent support calls is widespread. And it’s not just support calls, the same tactics are employed by fraudulent banking staff, crypto exchange staff, and even police officers.
But that’s not well enough understood — that Google or Apple or Meta or any other tech company’s support deck will not call you out of the blue. And no financial institution will call unexpectedly to have you move money or change account details while they’re on the phone. Just as no police officer will ever call to ask for payment to avoid arrest.
No criticism of the engineer nearly duped by this latest “sophisticated” phishing attack, it’s all too easy for scammers to deploy trickery to spoof numbers and email addresses. And AI does make all that worse. The issue is that almost all users still don’t realize that a tech support team will never call. That the fear of a compromise or device issue and a false sense of urgency is often enough to tip a user into becoming a victim.
The FBI has responded to the latest wave of banking scam calls with a repeated warning to never take such calls, that banks will never place them. And CBP and multiple local law enforcement agencies have done the same. I welcome this same clarity from Google, but it needs to be front and center in their support sites and apps and for all others.
The FBI’s blanket warning on this is clear. “Legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.” You will never be called out of the blue and you should never take such calls when they come.
Sometimes, doing the stupidly simple really is enough to keep you safe.