A security researcher and one technology startup CEO have warned that some Gmail users could become victim to a sophisticated, AI-based scam that can lead to their accounts being taken over.
The chief executive of prominent tech-oriented venture capital firm Ycombinator wrote on X late last week that there is a “pretty elaborate” phishing scam that uses an AI-generated voice.
“You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified) DO NOT CLICK YES ON THIS DIALOG—You will be phished,” wrote Garry Tan in an X post that he termed a “public service announcement,” dated Oct. 10.
“They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account. It’s a pretty elaborate ploy to get you to allow password recovery,” Tan said.
A security researcher, in a blog post last month, wrote of a similar scam attempt targeting Gmail accounts, which also uses an AI-generated voice.
“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale,” Sam Mitrovic, an IT consultant, wrote in the post. “People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.”
According to the post, Mitrovic said he received a notification to approve an attempt to recover a Gmail account, which he ultimately rejected. He then received a phone call about 40 minutes later with a caller ID as “Google Sydney,” also rejecting it.
“Exactly a week later,” he added, “more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.”
“You guessed it—about 40 minutes later I receive a call which I pick up this time. It’s an American voice, very polite and professional. The number is Australian. He introduces himself and says that there is suspicious activity on my account,” Mitrovic continued.
The person on the other line then asked if Mitrovic is traveling, to which he replied he was not, according to his account. The person then asked if Mitrovic was in Germany, to which he also said no.
Mitrovic said he found the caller’s number was an official one that was listed under Google Australia’s IT support page, adding that he asked for a confirmation email to find that the email also appeared to be an official account used by Google’s team.
“In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call center. He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit—the sender is from a Google domain,” he wrote.
But the researcher noted that “spoofing an email address is easy and I notice that the ‘To’ field contains an email address cleverly named GoogleMail at InternalCaseTracking dot com,” is a “non-Google domain.”
“The caller said Hello, I ignored it then about 10 seconds later, then said Hello again,” he said, adding that at that moment he realized the voice was AI-generated “as the pronunciation and spacing were too perfect.”
Mitrovic wrote that he hung up and called that number back. He then received a message that said, “This is Google Maps, we are currently unable to take your call.”
The researcher said he wasn’t the only one who appeared to have been almost scammed, finding others who wrote they were targeted by a similar scheme.
Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
DO NOT CLICK YES ON THIS DIALOG— You will be phished
They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8
— Garry Tan (@garrytan) October 10, 2024
“There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust,” Mitrovic warns.
According to the blog post, the researcher said there were several hints to suggest it may have been an attempt to take over his Google or Gmail account.
Mitrovic noted that telltale signs of a scam include that he received account recovery messages that he did not initiate, Google does not call users unless they have a Google Business Profile, the email he received had a “To email address not connected to a Google domain,” there weren’t any other active Google sessions other than his own, the email header showed “how the email was spoofed,” and a “reverse number search showed others who received the same scam call.”
“Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people,” he warned. “My guess is that their conversion rate from calls answered would be relatively high.”
The Epoch Times contacted Google for comment Monday about Mitrovic’s and Tan’s warning but received no response by publication time.
From The Epoch Times