The power of artificial intelligence has opened up many possibilities. From process automation to advanced features that were previously impossible, the entire tech industry is benefiting from AI. However, LLMs are within everyone’s reach, including bad actors. Recently, Gmail users have reported a super-realistic AI-based scam that could fool the less tech-savvy.
Gmail AI-powered scam starts with account recovery attempt notifications and calls
As security barriers against phishing attacks or scam attempts improve, malicious actors have had to work on more sophisticated solutions. Of course, in the age of AI, they are turning to such tools. A modern, advanced phishing attempt targeted Sam Mitrovic, a Microsoft solutions consultant, who shared his experience to help you prepare.
Mitrovic, a Gmail user, was receiving account recovery attempt notifications and calls allegedly from Google. He ignored them, as you should do in these types of situations. To try to figure out what was going on, Mitrovic finally answered one of the calls. Interestingly, the other party appeared to be American, even though the call came from Australia.
The alleged “Google agent” asked Mitrovic if he was traveling in Germany, telling him that someone managed to get into his Gmail account a week ago and accessed all of his personal information. These types of questions or statements are common in phishing attempts, as they aim to intimidate the victim into complying with the scammer’s demands. During the call, Mitrovic looked up the phone number on Google. The number in question appeared as a legitimate one for Google Australia.
Calls disguised as legitimate Google calls
At this point, many people would already be willing to do whatever the other party tells them. After all, they were able to confirm that they received a call from a seemingly “legitimate” number, so what the agent tells them must be true. However, you should not know that scammers have methods to “disguise” phone numbers, making them appear legitimate. So, you shouldn’t use the phone number as the ultimate criterion for determining whether a call is coming from legitimate sources.
To find out more about how the scam attempt works, Mitrovic had another request for the “Google agent.” Basically, he asked for an email to be sent to his address to check. This way, he could verify whether the email originated from a legitimate Google address. It’s at this point that Mitrovic definitively confirmed that something was wrong. He realized that one of the addresses in the “to” field was not legitimate.
The “Google Agent” is actually an AI-generated voice
Furthermore, Mitrovic realized that the alleged Google agent was, in reality, an AI-generated voice. Remember when we mentioned that the other party appeared to be American, even though the call originated from Australia? Well, that’s why. At that point, after seeing firsthand how the scam process works, Mitrovic ended the call. Had they continued, the next step would probably have been to ask him to accept Gmail recovery requests, giving the attacker access to the account.
This AI-powered scam targeting Gmail accounts demonstrates a high level of sophistication. From an AI-generated voice to phone numbers that look legitimate from Google, all working together to increase the effectiveness of the phishing attack. As a recommendation, never pay attention to alleged calls from Google asking you for certain actions or data. Also, don’t click on links you receive for alleged account recovery (unless you requested them yourself, of course).
