Scammers tried to take over security expert's Gmail account
0 Facebook x.com Reddit
A security expert has revealed how close he came to being duped by a new AI-powered scam that sought to steal his Gmail account details.
There have been ChatGPT scams in the App Store before, but now the scammers have turned to artificial intelligence in a way that expert Sam Mitrovich describes as “super realistic.”
“People are busy, and this scam sounded and looked legitimate enough that I gave them an A for their efforts,” Mitrovich wrote in a blog post. “A lot of people will probably fall for this.”
“Despite a lot of red flags, upon closer inspection this call seemed legitimate enough to fool a lot of people,” he continued. “I’d imagine their conversion rate from accepted calls would be relatively high.”
For Mitrovich, it all started with a notification about an approved Gmail account recovery attempt. Mitrovich ignored both that and a missed call, apparently from Google Sydney.
A week later, the same notification appeared, and 40 minutes later, he received a call and answered. The seven-day gap was significant because the caller told him that there had been suspicious activity on his account for a week.
While the polite, professional American male voice asks whether Mitrovic could have accessed his account from abroad, the security expert Googles the phone number from which the call came. It’s a legitimate Google number, although Mitrovic notes that numbers can be spoofed.
In this case, however, the Google number was for calls specifically about Google Assistant, not the Gmail account he was being asked about. So Mitrovic asks the caller to send him an email.
“He politely says he’ll do it and asks for a minute,” Mitrovic continues. “In the background, I can hear someone typing… A few moments later, the email arrives, and at first glance, it looks legitimate.”
But it’s not. When Mitrovic noticed that the address wasn’t from a Google domain, the caller said, “Hello.”
“I ignored it… then about 10 seconds later [the voice] said, ‘Hello,’” Mitrovic says, at which point the security expert hung up. “At that point [I realized it was] an AI voice because the pronunciation and spacing were too perfect.”
“The scams are becoming more sophisticated, more convincing, and more widespread,” Mitrovic warns.
To avoid getting caught, he notes that there were several clues, starting with how he received account recovery notifications that he didn’t initiate. He also notes that Google doesn’t call Gmail users unless you also have a Google Business profile.
Spoofing a phone number and email address is scary enough, but the fact that the entire call was an AI voice is sobering. Ironically, this may mean that scammers will hire fewer people in the future, but it also means that hundreds or thousands of these calls could be made at once.
However, beyond the AI aspect, spoofing phone numbers and phishing calls are nothing new. For example, scammers have previously posed as Apple support staff.
Follow AppleInsider on Google News
