Google has introduced increasingly advanced security measures to protect Gmail accounts, yet hackers are adapting their tactics, particularly through AI-driven attacks. With over 2.5 billion users on the Gmail platform, it is no surprise that it remains a prime target for cybercriminals. Here’s what you should be aware of.

The Latest AI-Driven Gmail Attack Is Alarmingly Effective

Sam Mitrovic, a consultant at Microsoft, has raised concerns after nearly becoming a victim of what he describes as a “highly realistic AI scam call” that could deceive even seasoned users.

The incident began a week prior to Mitrovic recognizing the attack's sophistication. He received a notification requesting approval for a Gmail account recovery attempt. In a blog post aimed at alerting other Gmail users, Mitrovic explained that this type of request is a common phishing tactic designed to lure users into a fraudulent login page where they might inadvertently provide their credentials.

Predictably, Mitrovic did not fall for the ruse and dismissed the notification, which appeared to come from the U.S., followed by a missed call claiming to be from Google in Sydney, Australia, about 40 minutes later. This initial phase seemed straightforward and easy to navigate. 

However, a week later, the situation escalated—another account recovery notification was followed by a phone call. This time, Mitrovic answered, and an American voice, purporting to be from Google support, informed him of suspicious activity on his Gmail account.

Mitrovic recounted, “He inquired about my travel plans.” When I responded negatively, he then asked if I had logged in from Germany, to which I again replied no. This strategy was designed to build trust with the caller while instilling fear in the recipient. The situation quickly escalated into a more sinister and cunning phishing scheme. 

The individual posing as a Google support representative informed Mitrovic that an attacker had gained access to his Gmail account over the past week and had already downloaded sensitive data. This raised immediate concerns for Mitrovic, as he remembered receiving a recovery notification and a missed call the previous week.

While still on the call, Mitrovic searched the phone number and found it linked to Google business pages. This tactic is particularly deceptive, as it could easily mislead many unsuspecting users who are already anxious, since the number was not an official Google support line but rather associated with Google Assistant calls. The legitimate page clearly states, “At the beginning of the call, you will hear the purpose of the call and that it is from Google. Calls may originate from an automated system or, in some instances, a live operator.”

Another AI-Driven Google Support Scam Raises Alarm for Gmail Users

Garry Tan, founder of the venture capital firm and startup accelerator Y Combinator, has taken to X, previously known as Twitter, to alert users about a new phishing scam he described as “quite elaborate,” which also utilizes AI to enhance its credibility. Similar to the scam that nearly deceived security consultant Sam Mitrovic, this latest warning pertains to contact from a purported Google support technician. 

While one commenter on X suggested that the lack of genuine support from Google was a clear indicator of the scam, it is not entirely inaccurate; Google support does not initiate contact unexpectedly. “Do not click yes on this dialog,” Tan cautioned, “you will be phished.”

In the scam that targeted Tan, the individual posing as a Google support representative asserted that the company had received a death certificate and that a family member was trying to recover his account. Essentially, the caller was verifying whether the person on the line was alive, a tactic that seemed remarkably foolish. Tan cautioned that this was a sophisticated scheme designed to facilitate password recovery. He noticed that the account recovery screen displayed a field for the device name, which showed the name of a Google support employee instead of an actual device associated with the account. 

Tan recommended that the developers of the recovery interface implement basic regular expression checks or even AI-driven fraud detection for the text field. “Verifying the device name is a simple task,” he remarked. A key aspect of the scam involved persuading Tan to re-enter his cellphone number as part of the verification process to initiate an account recovery dialog. However, Tan was aware of this tactic: “I’ve been a victim of SIM swapping, so I know better than to link my cell number to my accounts,” he stated.

Utilizing Google Forms to Enhance the Credibility of Contact Information

Fraudsters have been exploiting Google Forms, a complimentary online tool within Google Workspace, to generate seemingly authentic documents as part of support scams. By dispatching a copy of the form to the victim's email address and utilizing the response receipt feature, the document is transmitted through legitimate Google servers, enhancing the scam's credibility. Recipients may see the email originating from an address like workspacesupport@google.com, which diminishes any suspicions they might have had. One particular scam employed this tactic to replicate an account recovery password reset form, misleading the target into believing they would receive an SMS notification from a named support agent, complete with a contact number for verification. This dual-layer of legitimacy is often sufficient to deceive many individuals. The only potential misstep, if the recipient was astute enough to notice, was the overly complicated and lengthy password reset procedure.

Insights Gained from These Near Misses Involving Google Support Scams

Mitrovic took the appropriate action, or at least a reasonable alternative to hanging up, by requesting the alleged support representative to send an email confirmation. This email arrived shortly thereafter, appearing to be from a Google domain and seemingly authentic. However, he soon realized that the "to" field contained a cleverly disguised address that was not an actual Google domain, which could easily mislead those lacking technical expertise.

Mitrovic's key indication came when the caller greeted him, and after receiving no reply, repeated the greeting. "At that moment, I recognized it as an AI-generated voice due to the flawless pronunciation and spacing," Mitrovic explained.

The original blog by Mitrovic is highly recommended, as it offers extensive technical insights and investigative efforts that cannot be fully addressed in this report. Understanding the nuances is crucial, and the threat intelligence shared by this consultant is truly essential for anyone who may encounter a similar scenario: being prepared is being forewarned.

It is highly likely that the attacker would have progressed to a stage where the so-called recovery process would be triggered. In reality, this would involve a cloned login portal designed to capture user credentials, potentially accompanied by malware that steals session cookies to circumvent two-factor authentication if it was implemented.

Google Launches the Global Signal Exchange to Combat Scammers

Google has announced its collaboration with the Global Anti-Scam Alliance and the DNS Research Federation to establish a new initiative aimed at combating scams. The Global Signal Exchange will serve as an intelligence-sharing platform focused on scams and fraud, offering real-time insights into the cybercrime supply chain. As the inaugural founding member of the Global Signal Exchange, Google envisions the platform becoming a global hub for intelligence signals related to malicious actors and their activities.

Amanda Storey, senior director of trust and safety at Google, stated that this partnership “leverages the strengths of each participant.” With GASA possessing a vast network of engaged stakeholders and the DNS Research Foundation offering a data platform with over 40 million existing signals, “GSE aims to enhance the exchange of abuse signals, facilitating quicker identification and disruption of fraudulent activities across various sectors, platforms, and services.”

Google has confirmed that its primary objective is to develop a solution capable of functioning at the vast scale of the internet while ensuring efficiency and user-friendliness. This initiative will empower eligible organizations to combat scams effectively. With extensive experience in this domain, Google has a well-established track record of forming partnerships to tackle fraud. 

During the testing phase of the new Global Signal Exchange, Google provided over 100,000 malicious URLs and analyzed an impressive one million scam signals. Nafis Zebarjadi, Google’s account security product manager, stated, “We will initially share Google Shopping URLs that have been addressed under our scams policies, and as we gather insights from the pilot, we plan to incorporate data from other relevant Google product areas.”

The Global Signal Exchange, or its underlying engine, operates on the Google Cloud, facilitating the sharing and consumption of intelligence signals among all participants. Storey emphasized that this setup allows users to leverage the AI capabilities of the Google Cloud Platform to identify patterns and intelligently match signals.

Staying Secure Against Sophisticated Gmail Scams

AI deepfakes extend beyond their notorious uses in adult content and political manipulation; they are also employed in seemingly simple account takeover schemes. If you receive a call from someone claiming to represent Google support, remain composed. Remember, legitimate representatives will not contact you by phone, which serves as a significant warning sign. If you feel uncertain about the authenticity of the call, utilize available resources, including Google search and your Gmail account, to verify the situation. Look up the phone number to determine its true origin and review your Gmail activity for any unfamiliar devices accessing your account. Familiarize yourself with Google's guidelines on protecting against Gmail phishing scams. Most importantly, avoid succumbing to pressure to act quickly, regardless of the urgency conveyed during the conversation. Attackers often exploit this sense of urgency to bypass your usual judgment, leading you to click on malicious links or disclose sensitive information.

Consider Enrolling in Google’s Advanced Protection Program—Now Featuring Passkey Support

I recommend looking into Google’s Advanced Protection Program, which is tailored for individuals such as journalists, activists, and politicians who may be considered high-risk account users. Previously, one of the drawbacks of this program was the requirement to purchase two hardware security keys for account access. However, earlier this year, Google alleviated this financial burden by introducing passkey support for users enrolled in the Advanced Protection Program.

The integration of protections offered by these two technologies presents a compelling case for individuals with a Google account, particularly Gmail users. Here’s the rationale. When signing into Google on any device for the first time, a passkey is required. This means that even if a hacker obtains your username and account information, they cannot access it without the device where the passkey is stored (your smartphone) and the necessary biometrics for verification. 

Google's Advanced Protection Program keeps [+]
phishing scams at bay Google

Additionally, when combined with enrollment in the Advanced Protection Program, which limits access to your Gmail account data from most non-Google applications and services, it significantly complicates attempts at password phishing and account recovery. A Google representative stated, “If anyone tries to recover your account, Advanced Protection takes extra steps to verify your identity.” Consequently, the process of confirming your identity and regaining access to your Google account may take several days, but it effectively prevents hackers from easily infiltrating your account.