Billions of Gmail users at risk from sophisticated new AI hack — how to stay safe
Hackers are spoofing Google email and phone numbers to steal your Gmail credentials
Hackers are now targeting Gmail account holders with a “super realistic AI scam call” that can trick even the most experienced users. Given that there are more than 2.5 billion Gmail users based on Google's figures, it's little wonder that hackers are targeting Google's message platform in increasingly sophisticated phishing attacks.
Sam Mitrovic, a Microsoft solutions consultant, flagged the scam in a recent blog post detailing what happened to him. It started when he received a notification asking him to approve a Gmail account recovery attempt, a pretty common phishing technique intended to send the user to a fake login portal to quietly harvest their credentials. Mitrovic didn't fall for it and denied the request. About 40 minutes later, he received a notification that he'd missed a call claiming to be from Google Sydney.
Then, a week later, he got another notification request for account recovery approval. Just as before, about 40 minutes after he denied it, he got another call. This time he picked it up, and an American man claiming to be from Google Support was on the line. The man confirmed there was suspicious activity on his Gmail account and claimed an attacker had access to his account for a week and downloaded the account data. Mitrovic said that triggered alarm bells as he remembered the notification from a week prior.
While on the call, Mitrovic looked into the phone number that the call came from, and a quick Google search showed it was a legitimate number from Google's business page. Still, knowing that a common tactic used by scammers can mask where a call is really coming from, he remained skeptical and asked for an email to be sent to him to confirm whether the supposed representative was the real deal. When the message arrived in his inbox, it looked genuine except that one of the addresses in the "to" field was a cleverly disguised non-Google domain. But the biggest giveaway would come next:
"The caller said Hello, I ignored it then about 10 seconds later, then said Hello again," Mitrovic wrote. "At this point I released it as an AI voice as the pronunciation and spacing were too perfect."
At that point, realizing it was a scam, Mitrovic hung up. But it's scary to think about what might have happened if he'd approved the account recovery notification or given his credentials to the caller, allowing scammers to seize control of his account.
"The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale," Mitrovic explained. "People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it. There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust."
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
Google launches Global Signal Exchange to tackle online scams
Earlier this week, Google announced it's teaming up with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to combat online scams. It's called the initiative the Global Signal Exchange, and it's designed as an intelligence-sharing platform to generate real-time insights into scams, fraud, and other forms of cybercrime to shine a light on the facilitators of cybercrime.
Google's Senior Director of Trust and Safety Amanda Storey explained in a blog post that the joint venture “leverages the strengths" of GASA's network of stakeholders and DNS RF's data platform with more than 40 million signals "to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services.”
The engine powering the Global Signal Exchange runs on Google Cloud, enabling "participants to both share and consume signals gathered by others while benefiting from Google Cloud Platform’s AI capabilities to find patterns and match signals smartly," Storey said.
How to stay safe from phishing scams
Phishing scams are one of the most common ways hackers try to steal your personal and financial information. Unlike with malware or malicious apps, these scams don’t require any software installs or other actions that may raise red flags. Instead, hackers trick you into clicking on links or downloading attachments.
That’s why it’s important not to rush when checking your inbox. Scammers often instill a sense of urgency, hoping to make you anxious or stressed enough that you’ll follow along with their instructions before you think too hard about it. Staying calm and cautious is key when handling phishing emails to avoid falling for their tricks.
Hackers frequently disguise themselves as popular brands in their phishing attempts by faking a company’s email address. Keep an eye out for clear red flags like misspelled words or poor grammar and double-check the sender's email address or phone number to make sure it's correct. If you're not 100% convinced whether the correspondence you receive from any company is real or not, it is always best to err on the side of caution.
To keep your computer safe from malware and other viruses that could come from opening a phishing email, it's important to install the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your Android smartphone.
More from Tom's Guide
- This nasty Android adware is making phones unusable — how to stay safe
- Massive data breach hits 230,000 Comcast customers — names, addresses and social security numbers exposed
- 31 million users impacted by Internet Archive data breach — what we know
Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming and entertainment. Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk, where she covered breaking tech news — everything from the latest spec rumors and gadget launches to social media policy and cybersecurity threats. She has also written game reviews and features as a freelance reporter for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and miniature painting.
-
okxoliverkoenig I also wondered about what it means, thought it could mean to cease the original owner's control of their account.Reply