Gmail account takeover scams becoming increasingly sophisticated in this AI age

Scams aren’t what they used to be, folks. They’re no longer confined to poorly written emails from a so-called “Nigerian prince” looking to transfer his fortune. Welcome to 2024, where hackers have leveled up big time, and artificial intelligence (AI) is now their new tool of choice. AI-powered scam calls are so advanced that even tech experts like Sam Mitrovic, founder of CloudJoy and a seasoned Microsoft security pro, nearly got duped. So, if you think you’re too savvy to fall for a scam, think again.

The AI scam call that almost fooled an expert

In a blog post, Mitrovic recounted how he narrowly avoided losing his Gmail account in an attack that reads like something out of a Hollywood thriller. It all started with an innocent notification for a Gmail account recovery. He ignored it, as most of us would, but later he got a missed call from “Google Sydney.”

Fast forward a week — another recovery notification, followed by another call, this time from an American voice claiming to be from Google Support. He was “very polite and professional,” Mitrovic recalled. The caller asked if Mitrovic had been traveling or logged in from Germany, which he hadn’t. Then came the scare tactic: the AI voice told him that someone had been in his account for a week, downloading data.

At this point, Mitrovic got suspicious and Googled the phone number while still on the call. Lo and behold, it led to official Google documentation, making the whole thing look even more legit. But after further digging and a closer look at the email headers, Mitrovic realized it was all a scam powered by AI and bolstered by clever email spoofing.

Mitrovic’s quick thinking saved him, but many others aren’t as lucky.

AI-generated voices are the new face of phishing

Let’s pause here for a moment: AI voices. You’ve probably interacted with them before, but they’re getting better — creepily better. Garry Tan, President and CEO of Y Combinator, also raised the alarm about AI-powered phishing scams. “DO NOT CLICK YES ON THIS DIALOG,” he warned his followers on X, adding that the scam involved an AI voice claiming to check if a family member had filed a death certificate. The attacker’s goal? Get you to approve a Gmail password recovery request. The clever part? The scam is timed to hit right after you’ve denied an access request, making it seem like the voice on the other end is genuinely from Google.

And Tan isn’t alone. One user on X wrote, “I almost fell for this today. If that was an AI voice, we are truly screwed.” The scary part is, some people can’t even tell the difference between AI and human voices anymore.

Email spoofing and caller ID manipulation

If the AI voice wasn’t enough, scammers are also getting more sophisticated with email spoofing. Sam Mitrovic discovered that the scam email he received, which appeared to come from Google, was actually from a cleverly disguised domain: GoogleMail@InternalCaseTracking dot com — not an official Google domain.

This tactic has fooled countless users, as attackers can make emails appear as though they are coming from official sources. And it’s not just emails. Scammers can spoof Caller ID too, making it look like Google is calling when, in fact, it’s someone with malicious intent. One Redditor shared that a scammer called from a number nearly identical to Google’s corporate number — just a single digit off.

Commenting on Garry Tan’s X post, Rob Hamilton, cofounder and CEO of AnchorWatch, pointed out that scammers are even using Google Forms to make their phishing emails look more legitimate. By sending the form through Google’s servers, the email appears to be coming from a real Google domain. And with AI’s ability to analyze and manipulate language, these scams are only getting more convincing.

AI isn’t just a problem, it’s also the solution

While hackers are leveraging AI to launch more sophisticated attacks, it’s also AI that will help protect us. Google is already stepping up its game by launching initiatives like the Global Signal Exchange, a collaboration with the Global Anti-Scam Alliance and the DNS Research Federation. The aim? Share real-time intelligence on cybercrime signals to disrupt scammers on a global scale. Google’s AI is also working overtime to detect patterns and block phishing attempts before they even hit your inbox.

Amanda Storey, Google’s senior director of trust and safety, says that their goal is to fight scammers on a scale as massive as the internet itself. “The goal is to create a user-friendly, efficient solution that operates at an internet-scale,” Storey explained. The Global Signal Exchange already tracks millions of scam signals, and Google is constantly feeding it data from various parts of its ecosystem.

What you can do to protect yourself

With all the sophisticated tools at a scammer’s disposal, what can you do? The answer, ironically, is pretty simple: stay vigilant. Here’s a quick checklist:

• Verify before you act: Don’t approve account recovery requests unless you initiated them.
• Check the details: Look for email headers and domain names. If something seems off, it probably is.
• Don’t trust caller ID: Just because it says “Google” doesn’t mean it’s actually Google.
• Use Google’s Advanced Protection Program: This offers extra layers of security, including hardware security keys and passkeys that make it harder for scammers to take over your account.

Sure, scammers are getting smarter, but they’re not unbeatable. The key is to stay informed and skeptical. After all, if a Microsoft security expert like Sam Mitrovic almost fell for it, the rest of us need to be on high alert.

These scams are clever, no doubt. But you’re cleverer. Scammers might have sophisticated AI voices, but they still rely on human error to succeed. As these attacks become more frequent and advanced, we must keep our wits about us and use the tools at our disposal to fight back. Stay vigilant, do your research, and always question what seems too good — or too legit — to be true.

Featured image: Dimitri Karastelev / Unsplash