\nPublic service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified) <\/p>\n
DO NOT CLICK YES ON THIS DIALOG\u2014 You will be phished<\/p>\n
They claim to be checking that you are alive and\u2026 pic.twitter.com\/60zeuS2lL8<\/a><\/p>\n
— Garry Tan (@garrytan) October 10, 2024<\/a><\/p><\/blockquote><\/div>\n<\/figure>\n
The scammers claim to be checking that you are alive and whether they should disregard a filed death certificate. If you click “Yes, it’s me” on the fake account recovery screen then you’ll likely lose access to your Google account.<\/p>\n
In another recent example, Windows expert Sam Mitrovic was targeted by a very similar AI recovery scam<\/a>.<\/p>\n
He explained how the scam unfolds: It starts when he receives a notification of an alleged Gmail account recovery attempt, followed 40 minutes later by a call. The first time Sam misses the call, but when they try the same thing a week later, Sam answers.<\/p>\n
In both cases, the notifications come from the US but the calls show \u201cGoogle Sydney\u201d as the caller. A polite American voice claims there’s been suspicious activity on Sam\u2019s Gmail account and asks whether Sam was travelling.<\/p>\n
The caller says there’s been a login attempt from Germany which raises suspicions, given that Sam is at home in the US. The caller says the login has been successful, and that an attacker has had access to Sam\u2019s account for a week and downloaded account data.<\/p>\n
Sam remembers the email and missed call from last week, and has the presence of mind to quickly check the caller ID. It looks like a legitimate Google Assistant<\/a> number.<\/p>\n
But knowing how easy it is to spoof<\/a> a telephone number and pretend to be calling from that number, Sam asks for an email to confirm that the caller actually works for Google. Some typing against the typical background noises of a call center and soon enough the email arrives.<\/p>\n
Image courtesy of Sam Mitrovic<\/figcaption><\/figure>\n The email looks convincing. It comes from a Google domain, has a case number, claims to be from the Google Account Security Team, and it confirms the phone number and the name the caller is using.<\/p>\n
While Sam reviews the email, the caller repeatedly says “Hello”. From the pronunciation and the spacing Sam realizes it’s an AI voice and hangs up.<\/p>\n
Inspecting the email Sam found that the scammers are using the legitimate Salesforce CRM (customer relationship management) tool which allows you to set the sender to whatever you like and send over Gmail\/Google servers.<\/p>\n
Other targets<\/a> that took the scam a little further, were asked to verify their 2FA, so it stands to reason that the scammers are looking to take over your Google account, but this time for real.<\/p>\n
The need to confirm an account recovery, or a password reset, is a notorious method used in phishing attacks. They usually try to trick the target into opening a fake login portal where they need to enter their credentials to report the request as not initiated by them.<\/p>\n
Prompt asking: Is it you trying to recover your account?<\/figcaption><\/figure>\n How to stay safe<\/h2>\n
There are a few signs you can use to identify this type of scams.<\/p>\n
The \u201cTo\u201d field of the confirmation email Sam received contains an email address cleverly named GoogleMail[@]InternalCaseTracking[.] com, which is a non-Google domain.<\/p>\n
Google Assistant calls usually come from an automated system and only in some cases, from a manual operator. Google Support on the other hand will not contact you unsolicited.<\/p>\n
To verify if a security alert is from Google, users can check their Recent security activity<\/strong>:<\/p>\n
\n
- Tap your Gmail profile photo in the top right corner<\/li>\n
- Tap Manage your Google Account<\/strong><\/li>\n
- Select the Security<\/strong> tab<\/li>\n
- You will see something similar to this:<\/li>\n<\/ul>\n
Here you can find the Review Security Activity button<\/figcaption><\/figure>\n Any messages claiming to be security alerts from Google that are not listed there will not be from Google.<\/p>\n
Do not entertain these scammers for longer than necessary. It doesn\u2019t take them very long to fingerprint your voice which would allow their AI to impersonate you by using your voice.<\/p>\n
We don’t just report on threats – we help protect your social media<\/strong><\/p>\n
Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using\u00a0Cyrus, powered by Malwarebytes<\/a>.<\/p>\n
![\"confirmation](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/10\/confirmation_mail.png\")
![\"Is](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/10\/recovery_attempt_warning.png\")
![\"Review](\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/10\/security_activity.jpg?w=1024\")