In the old days, "hackers" had to somehow break your password, or find a way to digitally link in to the systems that store online data to grab personal details and potentially make off with highly profitable information.
But with AI-powered tools at their disposal, the hackers of today simply need a good plan. Not only will AI help them carry out their chosen scam, but now it can add a completely new level of sophistication by aiding in the creative process of designing the plan to begin with!
Here's what is happening:
Chances are if you saw that screen, you will likely assume it's legit. IT ISN'T. Here's the full text of the X post above:
Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified) DO NOT CLICK YES ON THIS DIALOG -- You will be phished They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account. It's a pretty elaborate ploy to get you to allow password recovery. The dead giveaway is the "Device" field here. Whoever designed this at Google should really do even basic regex and/or LLM-based fraud detection on this text field. It's trivial to check the Device name for this.
So, what now? Let's dig in and find out. According to Inc.com here's what is happening.
Before the advent of AI, a scam like this would have needed a real person to make this sort of phone call. Now, merely by clicking a button a hacker could launch hundreds or possibly thousands of such attacks at once. And then, when they had access to the accounts of the fraction of the users that fell for the scam, they could leverage the freshly-hacked Gmail accounts to make money, perhaps asking for a "ransom" so users could regain access.
Why should you care about this, though? Because Gmail has some 2.5 billion users, Forbes reports. And some estimates suggest that around 5 million businesses use Gmail for their email provider globally, with an estimated 60 percent of small businesses relying on the service. This makes great financial sense for a small or solo-person enterprise: you get all of the convenience of using Google's sophisticated tools for zero cost -- more profit! But smaller businesses may also have smaller, or wholly outsourced IT teams. Most workers' tech expertise isn't focuses on in the tech sphere.
Okay, my guess is this is going to get bigger and bigger, and there will be fall out. People at different organizations are about to make all the mistakes, and bad things will happen. Information will get stolen, ID-theft will skyrocket (it's already bad enough!), and people will ultimately lose money.
So... here's what you do, according to Fox News. In an article Fox ran on the new scam, they detailed five different ways to protect yourself from this Gmail AI scam.
1) Understanding Google's automated support system: Google has billions of users, so contacting them regarding any issue requires significant resources. Everything is automated, and Google doesn't call Gmail users unless they have a connected Google Business Profile.
2) Inspect email addresses carefully: Always check the email address carefully. In this case, the email included a recipient address that was not associated with a Google domain. Additionally, there were no other active sessions on the victim's Google account besides his own.
3) Be cautious with links and attachments: Avoid clicking on links or downloading attachments from unknown or suspicious emails. Instead, navigate directly to the website by typing the URL into your browser.
4) Enable two-factor authentication (2FA): Use 2FA on your accounts to add an extra layer of security. This requires a second form of verification, such as a text message or authentication app, making it harder for scammers to gain access even if they have your password.
5) Regularly monitor your accounts: Keep a close eye on your accounts for any unusual activity. Set up notifications for login attempts and changes to your account information. Early detection can prevent further damage.
In researching this threat, I came across an article that Zerohedge ran about the danger this new AI-powered scam is presenting. The problem is, although the scam presents possible red flags, the related call seems completely legitimate!
Garry Tan, chief executive of prominent tech-oriented venture capital firm Ycombinator, wrote on X late last week that there is a "pretty elaborate" phishing scam that uses an AI-generated voice.
The scammers "[claim] to be Google Support (caller ID matches, but is not verified)," he wrote in an Oct. 10 post that he termed a "public service announcement."
"They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account. It's a pretty elaborate ploy to get you to allow password recovery."
IT consultant Sam Mitrovic, in a blog post last month, wrote of a similar scam attempt targeting Gmail accounts and also using an AI-generated voice.
According to the post, Mitrovic said he received a notification to approve an attempt to recover a Gmail account, which he ultimately rejected. He then received a phone call about 40 minutes later with a caller ID as "Google Sydney" and rejected it as well.
"Exactly a week later," he said, "more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.
"You guessed it -- about 40 minutes later I receive a call which I pick up this time. It's an American voice, very polite and professional. The number is Australian. He introduces himself and says that there is suspicious activity on my account."
The person on the other line then asked if Mitrovic was traveling, to which he replied he was not, according to his account. The person then asked if Mitrovic was in Germany, to which he also said no.
Mitrovic said he found the caller's number was an official one that was listed under Google Australia's IT support page, adding that he asked for a confirmation email, and the sender address also appeared to be an official account used by Google's team.
"In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre. He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit -- the sender is from a Google domain," he wrote.
If that sounds scary, that's because it is! The entire thing was a complete scam. That's why I'm bringing this to you, so you can prepare in advance!
Don't be taken in. And don't get fooled by the AI call! We've all seen the "deep fakes" online; the ability for AI to fake background noise, a kind voice, and simultaneously give you exactly the right amount of information and questions in a way that doesn't seem suspicious is TERRIFYING from the standpoint of a potential scam!
In a day and age marked by deceit, this is just one more avenue of approach. Stay vigilant, and question everything. And whatever you do... don't assume that Google customer service rep on the phone is legit, unless you make the call yourself!