Google has confirmed a recent sophisticated phishing attack targeting its Gmail users, emphasizing the need for users to remain vigilant against AI-driven scams. The attack was described as highly targeted and complex, involving fraudulent support calls disguised as legitimate communications from Google.
Details of the phishing attack
According to The Register, Zach Latta, a tech-savvy engineer and founder of Hack Club, nearly fell victim to the scam. The attackers, masquerading as Google support, alerted him to an unusual login attempt from Frankfurt and instructed him to reset his password. The call originated from a legitimate Google Assistant number, 650-203-0000, and appeared to come from a Google caller ID. Latta reported that the scammer, using the name Chloe, spoke in an American accent and conveyed information that initially seemed credible.
Latta remained cautious, asking for a confirmation email from a genuine Google domain. The scammers complied, sending an email from an unspoofed address. Even when Latta inquired about calling the number back, Chloe’s calm response inhibited his further action. The scam began to unravel when Chloe’s colleague, Solomon, provided conflicting information during their conversation, along with a genuine two-factor authentication (2FA) code that added to the confusion.
How AI is making phishing scams unstoppable
Latta reflected on the situation, stating, “The thing that’s crazy is that if I followed the two ‘best practices’ of verifying the phone number and getting them to send an email to you from a legit domain, I would have been compromised.” He highlighted the challenge of identifying the legitimacy of the call, especially considering the use of g.co, a legitimate Google subdomain that anyone can utilize to create a Workspace account without verification.
A Google spokesperson confirmed the company has suspended the account involved in this scam and is taking measures to enhance defenses against similar threats. The spokesperson stated, “We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users.” Google reiterated that it does not initiate unsolicited contact with individuals regarding account issues.
The issue of fraudulent support calls is widespread, affecting not only Google users but also customers of various financial institutions and tech companies. The FBI has issued warnings about such scams, reinforcing that legitimate companies will not make unsolicited contact. Google and other companies are urged to communicate clear warnings on all platforms to prevent users from falling victim to these tactics.
Featured image credit: Kerem Gülen/Ideogram
