A security researcher and a technology startup CEO are warning that some Gmail users could fall prey to a sophisticated, AI-based scam that could lead to their accounts being taken over.
Garry Tan, chief executive of prominent tech-oriented venture capital firm Ycombinator, wrote on X late last week that there is a “pretty elaborate” phishing scam that uses an AI-generated voice.
The scammers “[claim] to be Google Support (caller ID matches, but is not verified),” he wrote in an Oct. 10 post that he termed a “public service announcement.”
“DO NOT CLICK YES ON THIS DIALOG—You will be phished.
“They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account. It’s a pretty elaborate ploy to get you to allow password recovery.”
IT consultant Sam Mitrovic, in a blog post last month, wrote of a similar scam attempt targeting Gmail accounts and also using an AI-generated voice.
“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale,” Mitrovic wrote in the post. “People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.”
According to the post, Mitrovic said he received a notification to approve an attempt to recover a Gmail account, which he ultimately rejected. He then received a phone call about 40 minutes later with a caller ID as “Google Sydney” and rejected it as well.
“Exactly a week later,” he said, “more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.
“You guessed it—about 40 minutes later I receive a call which I pick up this time. It’s an American voice, very polite and professional. The number is Australian. He introduces himself and says that there is suspicious activity on my account.”
The person on the other line then asked if Mitrovic was traveling, to which he replied he was not, according to his account. The person then asked if Mitrovic was in Germany, to which he also said no.
Mitrovic said he found the caller’s number was an official one that was listed under Google Australia’s IT support page, adding that he asked for a confirmation email, and the sender address also appeared to be an official account used by Google’s team.
“In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre. He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit—the sender is from a Google domain,” he wrote.
But the researcher noted that “spoofing an email address is easy and I notice that the To field contains an email address cleverly named GoogleMail at InternalCaseTracking dot com (non-Google domain).”
“The caller said, Hello, I ignored it then about 10 seconds later, then said Hello again,” he said, adding that at that moment, he realized the voice was AI-generated, “as the pronunciation and spacing were too perfect.”
Mitrovic wrote that he hung up and called the number back. He then received a message that said, “This is Google Maps, we are currently unable to take your call.”
The researcher said he wasn’t the only one who appeared to have been almost scammed, finding others who wrote that they were targeted by a similar scheme.
Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)
DO NOT CLICK YES ON THIS DIALOG— You will be phished They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8 — Garry Tan (@garrytan) October 10, 2024
“There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust,” Mitrovic wrote.
According to the blog post, the researcher said there were several hints to suggest it may have been an attempt to take over his Google or Gmail account.
Mitrovic noted that telltale signs of a scam include that one, he received account recovery messages that he did not initiate; two, it was a phone call, as Google does not call users unless they have a Google Business Profile; and three, the email he received had an address “not connected to a Google domain.” Additionally, the email header showed “how the email was spoofed,” and a “reverse number search showed others who received the same scam call,” he said.
“Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people,” he wrote. “My guess is that their conversion rate from calls answered would be relatively high.”
The Epoch Times contacted Google for comment about Mitrovic’s and Tan’s warnings but received no response by press time.