New Gmail Security Alert: AI-Driven Scam Targets 2.5 Billion Users

Google has ramped up its security measures to protect Gmail accounts, but hackers are increasingly using sophisticated AI-driven attacks to exploit vulnerabilities. With over 2.5 billion users of Gmail, the platform remains a prime target for cybercriminals. Here’s what you need to know.

The Rising Threat of AI-Driven Scams

Sam Mitrovic, a Microsoft solutions consultant, recently issued a warning after almost falling victim to a remarkably convincing AI scam call.

Mitrovic’s experience began with a notification for a Gmail account recovery attempt. He recognized this as a common phishing tactic designed to direct users to a fake login portal where they might inadvertently reveal their credentials.

Initially, he ignored the notification, which seemed to originate from the U.S., followed by a missed call claiming to be from Google in Sydney, Australia. However, the situation escalated when he received another recovery request a week later, accompanied by a phone call. This time, he answered and encountered a caller with an American accent, claiming to represent Google support and stating that there was suspicious activity on his Gmail account.

The conversation took a dark turn when the caller mentioned that an attacker had accessed Mitrovic’s Gmail account for the past week and had already downloaded sensitive data. This alarming revelation triggered memories of the earlier recovery notification and missed call.

While on the phone, Mitrovic Googled the number displayed and found it linked to Google business pages. This clever ruse could easily deceive unsuspecting users caught in a state of panic, as it was not a genuine Google support number but rather linked to calls from Google Assistant.

A Growing Concern: Elaborate Phishing Tactics

Garry Tan, founder of Y Combinator, also warned about a different phishing scam that employed AI to create a believable narrative. In this instance, the fraudster posed as a Google support technician and claimed that a family member had submitted a death certificate to recover the account. This elaborate ploy was designed to manipulate the recipient into allowing password recovery. Although some commenters suggested that the giveaway was Google’s lack of direct user support, this rings true: legitimate Google support will never contact users unexpectedly.

Tan cautioned against clicking any approval prompts, emphasizing that users risk falling victim to phishing.

In his experience, he noticed a suspicious account recovery screen displaying the name of a Google support worker instead of an actual device used for account access. He pointed out that basic verification checks could easily detect such discrepancies. As part of the scam, the caller attempted to convince Tan to re-add his cell phone number as part of the recovery process, a trap he avoided due to prior experiences with SIM swapping.

Exploiting Google Forms for Credibility

Fraudsters have also been utilizing Google Forms, a free tool in Google Workspace, to create seemingly legitimate documents as part of support scams. By sending a copy of the form to the victim’s email address, the scam appears credible, as it is sent through Google’s servers. Recipients may see emails coming from addresses like workspacesupport@google.com, lowering their guard.

One such scam mimicked a password reset form, stating that the victim would receive an SMS notification from a designated support agent. This double-layer of legitimacy can easily deceive unsuspecting individuals, especially when the process involves a confusingly complex password reset.

Key Takeaways from These Near Misses

Mitrovic took the prudent step of requesting email confirmation from the supposed support agent. The email that followed looked legitimate, coming from a Google domain, but he soon noticed that the “to” field contained a cleverly disguised address, raising red flags.

The true giveaway for Mitrovic came when the caller repeated “hello” after a brief silence, revealing the voice to be AI-generated due to the unnaturally precise pronunciation.

Mitrovic’s original blog post provides in-depth technical insights and investigative efforts worth reading. Knowledge is key, and the information shared by this consultant is invaluable for anyone who might encounter similar threats. As the saying goes, forewarned is forearmed.