This latest phishing scam sounds frighteningly real. Here's what to know about the latest AI-driven email scam hackers are using to steal your personal information.
How AI Can Help Scammers Hack Your Email
If you’ve got one of the world’s 2.5 billion Gmail accounts, there’s a new scam going around that should be on your radar. Hackers are using an artificial intelligence (AI) ploy, posing as someone from Google’s support team, to try and get users to reset their account via a fake portal, giving the would-be scammers access to your personal email account.
It’s a classic phishing scam, where a malicious actor tries to get you to give up personal information by pretending to be some kind of official customer service contact. However, what sets this one apart is the level of sophistication enabled by AI.
Here’s how the latest scam works as first reported by Sam Mitrovic, a professional IT consultant who discovered the method when hackers tried it on him. He first received a notification from Google to approve an account recovery attempt. Less than an hour after declining that, he received a phone call that said it was from Google support in Sydney, Australia. He didn’t answer.
A week later, the same thing happened, and when Mitrovic answered the phone call this time, he found himself talking to someone with an American-sounding voice. The voice asked him if he was traveling and whether or not he had tried to log into his account from Germany. It then informed him that someone had illegally accessed his account.
Quickly looking up the phone number, Mitrovic found that it matched the one from Google’s support unit in Australia. He then asked the caller to send him a confirmation email, which he received shortly thereafter. At first glance, the email looked legit, showing a Google domain address. Upon further inspection, he noticed another address in the “To” field of the message from GoogleMail at InternalCaseTracking— not a Google domain.
Phone numbers and email domains can be spoofed, another common tactic hackers use with phishing scams. But the real giveaway was when the caller said “hello” again after Mitrovic didn’t respond to the first “hello,” a dead giveaway that he was talking to an AI-generated voice.
How To Avoid This Gmail Scam
So often, phony phishing scams are easy to spot. What makes this one so unsettling is its facade of legitimacy, from the legit-seeming email addresses to AI posing as a helpful human caller telling you that your account has already been compromised.
It’s scary to get an official-sounding phone call from Google telling you that your account has been illegally accessed but stay calm and don’t give them any information. Google support is not going to call you, unless you have a Google Business Profile connected to the account, so that’s a red flag.
You can always look up the phone number. If it’s not from Google, that’s an immediate tipoff. Even if it says the number is from Google, as Mitrovic noticed in his case, hackers can (and frequently do) spoof those numbers and email addresses.
You should be suspicious of any account recovery notification that you didn’t initiate. That’s often a sure sign of a phishing attempt.
Finally, you can review recent access attempts to your Gmail account to see if someone besides yourself has tried to log into it. Here’s how:
How to see if someone else tried to access your Gmail account.
Open Gmail in your browser and click on “Details” on the bottom right of the page. It will pull up a dialog box showing you the last 10 times your account was accesses along with the location of the IP address and the date and time of the login attempt.
The bottom line here is the same as with any potential online scam: stay vigilant and always be suspicious when someone is asking for your login information.