An Alarmingly Realistic AI Scam Is Targeting Billions Of Gmail Users, How It Works
The US government has been very busy lately with scams and AI. The Federal Trade Commission warned last month against a rise in bitcoin ATM scams, following a massive $110 million loss, and began cracking down on AI-generated fake reviews the month before. Now, it seems there is a vile scam using AI in an attempt to take over an unknowing victim's Gmail accounts.
Mitrovic remarked on a blog post, “Recently I received a notification to approve a Gmail account recovery attempt.” He went on to add that the request originated in the US, and that he denied the request. However, he then noticed about 40 minutes later that he had missed a call. The missed call showed a caller ID of “Google Sydney.”
A week later, Mitrovic received another notification to approve his Gmail account recovery. Once again, 40 minutes later, he received another call, which he picked up this time. He noted the caller sounded American and was very polite and professional. However, the number was from Australia.
The consultant said the caller introduced themself and then told him there was suspicious activity on his account. The caller asked Mitrovic if he was traveling, and when he told the caller no, they asked if he had logged in from Germany. Mitrovic once again answered no. The caller then informed Mitrovic that someone had been attempting to access his account for about a week, and that they had downloaded the account data.
While still on the call, Mitrovic Googled the phone number. To his surprise, Google documentation backed up that some calls from the company came from Australia, and the number that had called him seemed legit. But Mitrovic also knew that phone numbers can be easily spoofed, so he continued to dig deeper.
Mitrovic then asked the caller to email him. The caller agreed to do so and asked Mitrovic to give him a moment. While Mitrovic waited on the email, he said he could hear someone typing in the background on a keyboard, and that throughout the call there were noises similar to a call center. A few moments later, the caller reported he had sent the email, which once again looked genuine at first glance.
While still on the phone call, the consultant heard the caller say “Hello.” Mitrovic chose to ignore it, and then about 10 seconds later the voice once again said, “Hello.” It was then that he said he realized it was an AI voice as the, "pronunciation and spacing were too perfect.”
He chose to hang up the phone at this point, and drove home to continue investigating the suspicious call. When he attempted to call the number back, it went to voicemail with a message that remarked, “This is Google Maps, we are currently unable to take your call…” He then checked his Gmail account sign-in activity (anyone can do this by clicking on their Gmail profile photo in top right corner, then Manage your Google Account, then click Security on the left hand side menu, and look under the Recent security activity subheading), noting the only sign in sessions were his own.
He then checked out the email headers. It was here he noticed how the caller was able to spoof the sender email address, stating they used Salesforce CRM, which allows users to set the address to whatever they like and then send it over Gmail/Google servers.
The moral of this story is to be extremely careful when it comes to giving out personal information to anyone. Scams are getting more sophisticated with the use of AI, and are becoming increasingly more convincing. As Mitrovic notes, “there are too many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.”
