Scammers use AI to impersonate Google support with convincing phishing attempts. Scammers use Google Forms and real Google servers to appear legitimate. Google launched the Global Signal Exchange to share intelligence and combat scams.
The latest AI-powered phishing attempts have reached a new level of realism, tricking even experienced users. One notable case involves Sam Mitrovic, a Microsoft solutions consultant, who shared his near-miss experience after being targeted by a convincing scam call, as reported by Forbes. Mitrovic first received a notification about a Gmail account recovery attempt, a common phishing technique, which he ignored. However, a week later, he received another recovery notification followed by a phone call from someone pretending to be from Google support. The scammer claimed that his Gmail account had been compromised, creating a sense of urgency and fear, as noted by Forbes. Mitrovic initially thought the call was legitimate, as the scammer used convincing details, including references to suspicious login attempts and even providing a phone number that appeared to belong to Google. He knew that even if the number appeared legitimate, such as showing up on an official Google page, it could still be spoofed. Shortly after, he received an email that, at first glance, looked authentic, coming from a Google domain. However, he realized that spoofing an email address is also possible. Upon closer inspection, the “To” field revealed an email address cleverly disguised as GoogleMail@InternalCaseTracking.com, a non-Google domain. By connecting the clues, along with the unnatural pauses and overly precise pronunciation, he realized it was an AI-generated call. Mitrovic ultimately avoided falling victim but warned that these types of AI-generated attacks could easily deceive less tech-savvy users, as reported by Forbes. Another incident tha Forbes mentioned was reported by Garry Tan, the founder of Y Combinator. Tan recounted a similarly elaborate phishing scam involving a fake Google support call, in which the attacker claimed that a family member had provided a death certificate to recover his account. The scam was designed to manipulate Tan into approving a fraudulent account recovery. Fortunately, he recognized inconsistencies in the process and avoided being scammed. These AI-driven phishing scams not only exploit sophisticated technology but also manipulate legitimate tools such as Google Forms to create convincing support documents, notes Forbes. By using genuine Google servers, the attackers make their communications appear trustworthy, further complicating the detection of these fraudulent activities, warned Forbes. DO NOT CLICK YES ON THIS DIALOG— You will be phished They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8 — Garry Tan (@garrytan) October 10, 2024 In response to the growing threat, Google has launched the Global Signal Exchange in collaboration with the Global Anti-Scam Alliance and the DNS Research Federation. This new initiative aims to share real-time intelligence on cybercrime, enabling faster detection and disruption of scams. To protect themselves, Gmail users are advised to enable Google’s Advanced Protection Program, which now includes passkey support, providing additional security measures for high-risk accounts such as those of journalists and activists.
