AI-Powered Gmail Scam: A New Threat to Billions of Users

AI-Based Scam Targets Gmail Users

Email is today the foundation of business correspondence in an increasingly advanced world. Sadly, this convenience has also created an environment for scams, particularly for those who use Gmail. Recent news has provided information about a rather complex AI-related fraud that has raised several concerns. This new current fraud involves artificial intelligence because the emails sent by the criminals pass a higher level of authenticity. Contrary to more conventional phishing scams, which usually present a variety of grammatical mistakes and inclusive rather than personalized greetings, these emerging advanced AI-composed emails seem to originate from legitimate sources. Furthermore, can even look at earlier email correspondence and mirror the written communication of known contacts. This makes it almost impossible for the users to glimpse what might be threatening them in the future. Recent statistics suggest that 25% of the population will likely become victims of such scams when they look realistic.

A new 'super-realistic' AI scam could get your Gmail account hacked

A Microsoft security expert warns Gmail users of a new convincing social engineering attack. The advent of generative AI has opened up all kinds of opportunities, but it has also ramped up various risks and dangers. We've previously seen hackers who can use AI-generated codes, phishing emails, or even deepfakes to make even more realistic fraud attempts -- ones that even security experts can easily fall for. Related: The most common phishing scams to be aware of In a recent Forbes report, Sam Mitrovic -- a security consultant for Microsoft -- talks about his experience with a new "super-realistic AI scam call" and warns that all Gmail account users could be targeted. The scam is similar to standard phishing methods, but it has a much higher chance of success thanks to its use of AI. First, Mitrovic received a message asking him to restore his Gmail account. In addition to the included confirmation link, Mitrovic also received a call that purported to come directly from Google. At first, he didn't pick up, assuming that Google wouldn't make such a call. But a week later, he got another call -- and this time he answered. On the other end was the American-sounding voice of an alleged Google support employee, who informed him that suspicious activity had been detected in his Gmail account. Someone from Germany had apparently logged in within the past seven days and downloaded his account data. At this point, Mitrovic did what many people do when they're in this kind of situation: he googled the phone number. To his surprise, it actually led to a Google business page, reinforcing the impression that it was a genuine call from Google itself. Fortunately, Mitrovic knew better and was able to recognize it for the phishing attempt it was. Although the AI-generated voice on the phone seemed very convincing, he made a quick check and found that everything was fine with his Google account. For the average person, though, it'd be extremely hard to see through the ruse. Related: How to spot a scam email or scam text These kinds of hack attempts are a serious threat to everyone, which is why it's important to understand how these scams work and what sorts of warning signs you need to be able to spot. Perhaps the most important giveaway of any scam is an elevated sense of urgency, one that tries to get you into panic mode so you're caught off guard and more likely to make mistakes by acting in haste. Other big giveaways include getting an unsolicited call from support (most companies will not reach out to you by phone without prior warning) and being prompted to share your password or other sensitive personal information (reputable support services won't ask for this). This particular AI scam is mainly targeting Gmail users, which amounts to around 2.5 billion users worldwide. If you use Gmail at all, you should be careful and only respond to the usual notifications about suspicious account activity, which Google doesn't send by phone but via automated emails. You can also check your Gmail account's security settings at any time to see whether everything is OK with your account.

Gmail users, beware of new AI scam that looks very authentic

A spoofed phone number, an email address plus an AI voice are all it takes to steal your Google credentials. Here's what to look out for just in case you happen to find yourself in such a situation. If you're a Gmail user (there are nearly 2 billion of us), you'll want to be aware of a new "super realistic AI scam." In a recent blog post, Microsoft solutions consultant Sam Mitrovic shared how he recently encountered a scam attempt that was surprisingly real. Also: Internet Archive's Wayback Machine is back up after data breach - with a catch The scam started when Mitrovic received a notification that he needed to approve a Gmail account recovery attempt. A message saying that you need to approve a login attempt or password change, real or fake, is how many scams start. A little more than 30 minutes later, he received a call from a real Google number in Sydney, Australia that he ignored. A week later, he received an identical notification followed by another phone call. This time, he picked up. The American voice on the other end, Mitrovic said, explained there was some suspicious activity on his Google account and someone had accessed it a week ago. The apparent Google employee offered to send an email detailing what happened, and that message promptly arrived from an official Google address. Also: Fidelity breach exposed the personal data of 77,000 customers - what to do if you're affected As Mitrovic paused to read the email thoroughly, the voice on the phone said, "Hello." 10 seconds later, it said "Hello" again with the exact same tone. At this point, he realized the voice was AI and hung up. Had the call proceeded, it's likely the caller would have eventually asked for an account recovery code or perhaps sent the user to a fake login portal. Mitrovic offered a few indicators that tipped him off to the potential scam. Here's what you should be aware of to stay safe: Maybe the biggest tip-off was that Google support (or any other tech support for that matter) will not contact you out of the blue to tell you there's a problem. If something seems fishy, it's always best to err on the safe side and end communication until you can figure out more. Also: 1 in 4 people have experienced identity fraud - and most of them blame AI As AI-powered scams continue to rise, Google is fighting back. Last week, it announced Global Signal Exchange, a partnership with the Global Anti-Scam Alliance and DNS Research Federation to fight scams. The GSE is a real-time information-sharing platform that allows insight into the cybercrime supply chain, hopefully allowing for faster identification of bad actors.

This AI Gmail Scam Is Scaringly Realistic: Here's How to Stay Safe

If You See Any of These Celebs Selling Something Unusual, You've Spotted an AI Scam It's no secret that bad actors are using AI to create more believable scams, but until now, they haven't been very believable. However, as models become more advanced, these tricks become more and more realistic. Now, there are reports of a particularly nasty Gmail scam that can easily fool even the most wary person out of their account. How the Gmail AI Scam Works The scam was first documented on Sam Mitrovic's blog. This attack combines AI voices with convincing email spoofing tactics to create a realistic customer support scam. This tactic begins as an attempt to log into your Google account, which usually sends a notification to your device. If you decline the login attempt, the scammers call you 40 minutes later and use an AI voice to act as a fake customer support agent. The AI claims to be from Google, and states that your account has been hacked -- hence the notification from earlier. It will then ask you for your personal information, which the scammer can use to gain access to your account. The scary part of the scam is how authentic everything looks. As Sam Mitrovic noted, the phone number calling his device looked like it came from Google. Sam also received an email that looked professional and had a believable sender, which you can see below. How to Avoid the Gmail AI Scam As convincing as the scam was, it still has a few red flags that identify it as a scam. For one, Google will never call you on your phone if it's not a Business Profile, so anyone claiming to be from the search giant should immediately set off alarm bells. If you're worried that someone has actually gotten a hold of your account, hang up on the caller and visit Google Help. Contact support and let them know what the person on the line said. If it was real, the support agent should help you rectify the issue; if it wasn't, they should let you know and reassure you. If you want to take matters into your own hands, look out for signs that your Google account has been hacked; if nothing turns up, it was a scam.

An AI scam campaign is targeting all Gmail users: how they can hack you if you're not careful - Softonic

This new tactic almost managed to deceive a Microsoft consultant Hackers may have found a new tactic to deceive Gmail users through a "super-realistic AI scam call." Far from being "the typical scam," this new scam campaign poses a threat even to the most experienced users. Sam Mitrovic, a consultant at Microsoft, shared in a blog post how he was the victim of a scam attempt using this new tactic. It all started with a notification to approve the recovery of his Gmail account, a classic phishing technique designed to lead users to fake portals where hackers can steal their credentials. Although Mitrovic declined the request, about 40 minutes later he received a missed call supposedly from Google Sydney. The scam continued a week later with another account recovery request, and this time Mitrovic decided to answer the call he received shortly after. On the phone, a supposed American man, claiming to work for Google's support service, warned him about suspicious activity on his account and that an attacker had downloaded his data. This raised alarms for Mitrovic, who quickly searched Google for the phone number of the call. Although the number seemed legitimate, he decided to remain skeptical and asked to be sent an email. When the message arrived in his inbox, everything seemed correct, except for one small detail: an email address in the "to" field that did not belong to Google. The scam became more evident when the interlocutor repeated a "Hello" that sounded suspiciously perfect. "At that moment I realized that it was an AI voice," Mitrovic recounted, upon noticing the scam. "Scams are becoming more sophisticated, more convincing, and are deployed on a larger scale," stated Mitrovic. For this reason, the consultant emphasizes the importance of staying alert and conducting basic checks on any communication received by the user.

Beware the New Gmail AI Scam! Learn How to Keep Your Account Safe

As technology has evolved, so have many scams. Those done by amateurs are thankfully usually easy to spot, but that isn't always the case for any being done by those with a strong knowledge of security loopholes. A recent scam involving email account recovery was so advanced that it even surprised a security expert. Learn more about the Gmail AI scam, how it works and how to ensure you don't become a victim. What is the Gmail AI scam? This scam was brought to the public's attention after Microsoft products security expert Sam Mitrovic shared how he was personally targeted, according toCNET. What's particularly concerning about this attempt is it involves AI, and can trick a lot of people who aren't aware of what it involves. Plus, it incorporates some of the more common scam techniques: phone calls and emails. But unlike prior phishing attempts, the signs that hackers are trying to get access to your Gmail account are not exactly obvious. It's a complex scam with a lot of steps, done by bad actors who are eager to get into your account. Details of the Gmail AI scam InMitrovic's post, he shares that the scam began with a notification to approve a Gmail account recovery attempt. After denying the request, he received a missed phone call with the caller ID label of "Google Sydney." The same pattern appeared a week later. During this second attempt, however, Mitrovic answered the phone and was greeted by a polite and professional American voice. The alleged caller claimed to be from Google and insisted there was in fact suspicious activity on the account. To get the caller to prove his authenticity, Mitrovic then insisted an email about the issue be sent. Not only did they agree to his request, the sender appeared to be from a legitimate Google domain. The subject line of the message read, "[Case Action Advised] Your Google Workspace case #52587531: 'Verification requested by account owner.' has been updated and requires your attention." The sender's email address? "Workspacesupport@google.com." The caller then tried to prompt Mitrovic to engage with him with two "Hello" comments, but he ultimately hung up. Why the Gmail AI scam is dangerous As Mitrovic points out in his blog, the multi-layered AI scam cleverly hides some of the elements that make a scam easy to spot. The first? The phone number. When he Googled it, he found the contact information for the Australian number on the official Google website -- it was a match. "The number seems legit although I'm aware just how easy it is to spoof the number," he recalled of the incident. On the other hand, similar scams from the past year generally involved "808" numbers, according to oneReddit thread. Next, the caller appeared to be American and courteous. This wasn't a helpful customer service representative, however. It was AI. Finally, the sender's email address appeared to be legitimate. But as Mitrovic points out, that was also spoofed. "They are using Salesforce CRM which allows you to set the sender to whatever you like and send over Gmail/Google servers," he wrote. (Click through to read more about another email scam making the rounds). Another red flag? The "To" field of the message contained an address that said googlemail@internalcasetracking.com. The end goal behind all of these scam attempts? Gaining control of the Gmail account. Mitrovic believes the final step would have been for him to approve the account recovery notification, allowing the hackers to use it for personal and financial gain. How to avoid becoming a victim of the Gmail AI scam This sophisticated scam can easily fool you, so if you are a Gmail user you'll want to be prepared should you become a target. There are many things to keep in mind to protect your information. If you receive account recovery notifications that you didn't initiate, you may be preyed upon using the next steps in the scam. When in doubt, look at the last login sessions for your account. "You can do this by clicking on your Gmail profile photo in the top right corner then Manage your Google Account then click Security on the left hand side menu and look under the Recent security activity subheading," advises Mitrovic. Since no one else had tried to log into his account, he knew that the claims were not true. Next, be vigilant about any phone calls you receive that claim to be from a Google representative. Official support will be much more clear,reports Forbes. "At the start of the call, you'll hear the reason for the call and that the call is from Google. You can expect the call to come from an automated system or, in some cases, a manual operator," Google informs. Finally, take a closer look at any emails sent from an account claiming to be Google. The address may seem legitimate, but in fact be made to only appear official. Rather than clicking on any links or using phone numbers that appear in the body of the message, It's best to only reach out to the official channels of Google support if you believe your account does need to be recovered.

AI-Driven Phishing Attacks Target Gmail: How to Prevent Scammers from Taking Over Your Account

Gmail users need to be on high alert as a new wave of AI-powered phishing scams is hitting inboxes making them more dangerous and convincing than ever before. According to a recent report by Forbes, scammers are leveraging artificial intelligence to craft highly personalized and sophisticated emails that mimic legitimate sources such as banks, social media platforms and even Google itself. These scams are designed to trick users into clicking suspicious links or sharing login credentials leading to account takeovers and potential data theft.

Security Experts Warn Gmail Users of More Sophisticated AI Hacks

The scams can target Gmail accounts, many of which are part of Google Workspace's 3 billion users. Security experts are warning that AI-driven phishing attempts and scams targeting Gmail accounts are getting harder to detect and much more sophisticated. The attempts can include fake notifications from real Google addresses, convincing phone calls from AI or human agents that appear to come from legitimate Google phone numbers, and links pointing to Google pages that serve to make the scam seem legitimate. In September, Microsoft products security expert Sam Mitrovic posted about such a scam that targeted him personally. Y Combinator CEO Garry Tan posted a similar warning last week on X about a similar phishing attempt he encountered. Cybersecurity writer Davey Winder rounded up these warnings on Forbes as well as information about how scammers are using Google Forms as another method of fooling people with Google accounts. Google did not respond to a request for comment. For its part, Google recently helped begin efforts on a Global Signal Exchange with the Global Anti-Scam Alliance and DNS Research Federation to create a database of scam and fraud attempts. The Exchange includes executives from Amazon, Meta, Mastercard and Trend Micro and will initially focus on URLs, IP addresses and reports of scams and phishing attacks. It's set to launch officially on January 1, 2025. According to Winder, two ways Gmail users can help protect themselves are to familiarize themselves with Google's policies and advice on phishing (including what to do if you're a victim and locked out of your account). Users who are more likely to be targeted, including politicians and journalists, should look into Google's Advanced Protection Program, which can include the use of a hardware security key (basically a device such as a secure USB drive for logins). Google recently added Passkey support to the program.

Scammers Are Using AI to Pretend to Be Google

A recent incident, described in a personal blog by Sam Mitrovic, shows how AI-powered scam calls are becoming harder to discern. Mitrovic received a series of suspicious notifications and phone calls that mimicked legitimate Google communication -- a threat that could have led to the loss of his Google account. The events began with a Gmail account recovery attempt notification originating from the United States. This was followed by a missed call from a number displaying "Google Sydney" as the caller ID. About a week later, Mitrovic received another account recovery request, again from the United States. And this time, he answered the call from "Google Sydney," which had a polite and professional American voice speaking from an Australian phone number. The caller claimed there was suspicious activity on Mitrovic's account, implying unauthorized access from Germany. Mitrovic was told his account data had been downloaded, referencing the earlier account recovery notification. Notably, the phone number used by "Google Sydney" appeared in official Google documentation, suggesting the number was legitimate. Still, Sam asked the caller to prove their identity. The caller sent an email that appeared to be from a Google domain, but upon closer inspection, Mitrovic noticed the email's "To" field contained an email address ending in "InternalCaseTracking.com," which is not a Google domain. The caller's voice, characterized as "too perfect," also raised suspicion. Mitrovic, recognizing the potential for an AI-driven scam, hung up the call. After returning home and checking his Google account's recent security activity log, Mitrovic only found his own login sessions. An examination of the email headers revealed that the email originated from an IP address associated with Amazon Web Services (AWS). This finding supports the possibility of the email being sent through a cloud-based platform used by scammers. Google is aware of the issues that are coming from AI scammers and is combating online scams by partnering with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNSRF) to launch the Global Signal Exchange (GSE), a platform for sharing scams and fraud information. Google is also expanding its Cross-Account Protection tool, which helps protect users by sharing security notifications with apps and services linked to their Google accounts. However, this may not be enough because, according to The Lawstreet Journal, these AI companies have been targeting all 2.5 billion Gmail account holders. Google isn't alone either, because even Apple customers are dealing with more advanced scammers. It's important to note that AWS itself is not involved in or responsible for fraudulent activities; rather, it is a service that was used. There are plenty of AI apps on the App Store that are used for scams, so it's not going to stop anytime soon. The ability of scammers to mimic human voices and create realistic scenarios will likely make it much harder to distinguish legitimate calls and communications from frauds. So it's better to always be very careful. Source: Sam Mitrovic

Scammers use AI to create scarily convincing phishing calls

Scammers tried to gain control of a security expert's Gmail account A security expert has recounted how close he came to being fooled by a new AI-based scam call that aimed to get his Gmail account details. There were already scam ChatGPT apps on the App Store, but now artificial intelligence has been deployed by scammers in what expert Sam Mitrovic describes as "super realistic." "People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort," wrote Mitrovic in a blog post. "Many people are likely to fall for it." "Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people," he continued. "My guess is that their conversion rate from calls answered would be relatively high." For Mitrovic, it began with a notification to approve a Gmail account recovery attempt. Mitrovic ignored both that and a missed call apparently from Google Sydney. A week later, the same notification appeared and 40 minutes later, he got a call that he did answer. The seven-day gap was significant, because the caller told him that there had been suspicious activity on his account for a week. While this polite, professional, American male voice asks if Mitrovic could have been accessing his account from overseas, the security expert is Googling the phone number the call is coming from. It's a legitimate Google number, although Mitrovic notes that numbers can be spoofed. In this case, however, the Google number was for calls specifically regarding Google Assistant, not the Gmail account he was being asked about. So Mitrovic asks the caller to send him an email. "He politely says he will do so and to give him a moment," continues Mitrovic. "In the background, I can hear someone typing... After a few moments, the email arrives and at first glance the email looks legit." It isn't, though. As Mitrovic is noticing that the address is not from a Google domain, the caller said "Hello." "I ignored it... then about 10 seconds later, [the voice] said 'Hello' again," says Mitrovic, and that's when the security expert hung up. "At this point [I realised it was] an AI voice as the pronunciation and spacing were too perfect." "The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale," cautions Mitrovic. To avoid being taken in, he notes that there were several clues, starting with how he received account recovery notifications that it hadn't initiated. He also notes that Google does not phone Gmail users unless you have a Google Business Profile too. The spoofing of a phone number and an email address is scary enough, but that the entire call was an AI voice is sobering. Ironically, it may mean that scammers employ fewer people in future, but it also means that hundreds or thousands of such calls could be being made simultaneously Other than the AI aspect, though, phone spoofing and phishing calls are not new. Previously scammers have pretended to be from Apple Support, for instance.

Don't Fall for This 'New' Google AI Scam

Tech headlines are abuzz this morning about a new AI scam targeting Google users. Forbes published a piece detailing two experiences with scammers, both of which involved likely AI-generated phone calls and multi-step schemes. Here's the thing, though: These scams aren't necessarily "new," and you should be wary of them -- whether the actor purports to be from Google or not. Watch out for these Google Account scams Forbes' reporting highlights two specific but similar examples of this type of scam: One victim, Sam Mitrovic of Microsoft, received an alert regarding an account recovery request, which, when legitimate, are usually triggered when someone forgets their password. Because unprompted account recovery requests are often malicious in nature, Mitrovic ignore the alert, but received a phone call from "Google Support" just 40 minutes later. Mitrovic ignored this call, too, but soon after, received another alert followed 40 minutes later by a "Google Support" call. This time, Mitrovic answered, to find a "representative" with an American accent who asked if Mitrovic had traveled recently, particularly to Germany. The answer was no, which lead the representative to warn Mitrovic that someone had been accessing their account from Germany for the past seven days, and had already downloaded data from the account. Mitrovic even googled the phone number "Google Support" was calling from, and found it lead to this official Google Support page. At first glance, you might think that confirms this is actually Google Support, but read the page closer, and you'll see this phone number is the number Google Assistant calls businesses from, not Google Support. This was, in the end, a scam. Forbes' other example concerns Garry Tan, founder of Y Combinator, who reports he was also targeted in a similar scam. Tan also received a call from "Google Support," claiming that they had Tan's death certificate, and a family member was trying to use it to access Tan's account. Google Support was calling to both confirm that Tan was actually alive, and to share an account recovery request that Tan could use to "confirm" his account was active. That last bit is the real scam: Tan highlights that the account recovery request was definitely fraudulent, as the "device" the request was coming from said Google Support, not an actual device. Someone is spoofing that field, and if Tan had hit "Yes, it's me" on the alert, the attacker would have been able to reset the password on Tan's Google Account. While it can't be confirmed, it appears the phone calls used in each example were AI-powered. Mitrovic and Tan both confirm the voices were convincing, but in Mitrovic's case, the "caller" said "hello," and, after no response, said "hello" the same way again. That, coupled with perfect pronunciation and spacing, convinced Mitrovic the voice was actually AI -- telltale signs of generative AI-powered audio. In practice, this scam is nothing new While the news is buzzing about this new type of AI-powered scam, the underlying tactics here are pretty classic. You can protect yourself by knowing what to look out for, whether the attackers use AI or not. First, big tech companies like Google simply don't call you out of the blue to warn you about a potential security breach with your account. In fact, Google, and companies like it, are notorious for their lack of human-based support in general. If you can't get in touch with a real person when you knowingly need help, there's no shot a Google rep is going to reach out to you first. So, whether it's a convincing AI-powered voice on the other end of the phone, or a pretty terrible human actor pretending to be a live Google representative, receiving a call from a company like this should be a large enough red flag to ignore the situation. On the flip side, we have the account recovery request. This is a textbook scam method: Trigger an account recovery alert on the user's end, and convince them accepting it means they're confirming their identity. That is simply not what this system is designed for, and it's what hackers are counting on you to fall for. Account recovery requests are supposed to be triggered by you whenever you are otherwise unable to access your account, perhaps in the event that someone has actually hacked your account. You tell Google that, and they send an account recovery request to your attached email address. You open that email, click "Yes, it's me," and you're able to continue on with your account recovery process. No one else is involved in the process, and the request isn't used for any other purpose. Hackers, however, will pretend to be from Google Support, and say that this account recovery request is just a way to confirm your identity, or that your account is active. However, when you click that "Yes, it's me" button, what you've done is trigger the account recovery process on their end. They now have the power to get into your account, and potentially lock you out of it and steal your information. Bottom line: If you did not trigger that account recovery alert yourself, it's not legitimate. Do not click on it. If you're worried about being hacked If you receive a phone call or a message like this, it's likely a bad actor looking for a phishing victim. Without your input, they will simply move on to another victim. However, it's not a bad idea to run through some steps to make sure your account is actively protected. Focusing on Google, you can go to your Google Account's Security settings page to review a dashboard of your account's security health. Here's where you'll see all your active sessions, whether Google has any security alerts for you to manage, and settings for things like two-factor authentication, passwords, passkeys, recovery emails, and phone numbers, among others. If you're worried about your account's current security level, look at your active sessions: This is where you're currently logged into. If you don't recognize a device or a location, you can click on it and sign that device out of your account. Just know if you're using a VPN, or Apple's iCloud Private Relay, you may see sessions from unknown locations on your trusted devices, as these services obfuscate where your actual internet traffic is coming from. In addition, it's a great idea to change your password every now and then, and ensure you're using two-factor authentication (2FA). That way, if an attacker does figure out your password, you have a secondary authentication step that requires a trusted device -- something the attacker likely does not have. Consider setting up passkeys as well, which combined the best of both worlds between passwords and 2FA. At the end of the day, attackers employing these scams can't actually break into your account themselves -- that's why they're targeting you. They need you to click on their malicious links or authenticate yourself on their behalf. So long as your password is strong, and you have other forms of authentication as a backup, the best way to avoid being a victim in these types of scams is to simply ignore them.