Tuesday, November 5, 2024

Gmail users warned of sophisticated new scam – the ‘red flags’ to watch out for

Must read

A security expert has issued a warning to all Gmail users worldwide after uncovering a worrying scam that he could have fallen victim to that would have placed full control of his Google account in the hands of criminals.

The scam seems unusually deceptive, causing concern that millions of Gmail users could be at risk. In a blog post, Microsoft security consultant Sam Mitrovic described how he investigated an odd call he received from someone who said they were from Google. This was shortly after he’d got a notification on his device to approve a Gmail account recovery.

This happens when someone has prompted Google that they have forgotten their login credentials.

Mitrovic denied the request, but it happened again a few days later, so he picked up the call. An American voice told him there was suspicious activity on his Google account, though the phone number was Australian. After a few questions, Mitrovic asked the man to send him an email to prove the call was legitimate. The email received looked convincing, but Mitrovic realised the email address had been spoofed – albeit convincingly.

Here, the caller said ‘Hello’ but was ignored, before repeating the word again a few seconds later.

“At this point I released it as an AI voice as the pronunciation and spacing were too perfect,” Mitrovic said in his blog.

When he checked all the Google activity on his account he was certain there was no foul play, and concluded the calls were certainly fraudulent in an attempt to get him to give over information or authenticate via two factor authentication, which might have led the hackers on the other end of the line to gain access to his account, as to Google it would look as though the owner of the account was authorising it.

“If I stayed on the call long enough, I believe the next step would be to approve the account recovery notification. After that, they would have gained control of the account,” Mitrovic said.

He believes the caller was not only an AI generated voice, but the phone number and email were more convincing than comparable scams as the criminals had gone to the trouble of spoofing legitimate-looking email addresses and even cloaking the call with a real Australian Google phone number.

“Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people. My guess is that their conversion rate from calls answered would be relatively high.”

The tech expert goes on to warn all Gmail users about the dangers of this clever, confusing new scam.

“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.

“People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.

“There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.”

It goes to show that if you receive a call from someone who says they are from Google, or any other company or service you use, you should remember to be very careful. You have every right to be suspicious, as these firms will rarely contact you directly on the phone or via email to ask for personal identifying information or to ask you to access your account out of the blue.

If someone gains control of your Gmail, they can impersonate you, access sensitive information contained in your inbox, or access other Google services you use.

Latest article