A security researcher and the CEO of a tech startup have both issued warnings that some Gmail users may fall victim to a sophisticated scam scheme based on artificial intelligence, potentially leading to their accounts being hijacked.
Chief Executive Officer of renowned tech risk investment firm Ycombinator, Garry Tan, took to social media last weekend to alert about a “quite sophisticated” online phishing scam utilizing AI-generated voice to aid in the deception.
In a post dated October 10, he wrote, “You should be aware of a carefully orchestrated online phishing scam using AI voice claiming to be from Google Support (caller ID matches but not verified).”
He further cautioned, “Please do not click ‘yes’ in this chat box—(otherwise) you will be subjected to a phishing attack.”
“They claim to check if you are alive and claim they should ignore a submitted death certificate that claims your family is restoring your account,” Tan continued to write, “This is a carefully crafted ploy to trick you into allowing password recovery.”
IT consultant Sam Mitrovic wrote in a blog post last month about a similar scam attempt targeting Gmail accounts, also utilizing AI-generated voice.
“These scams are becoming increasingly sophisticated, more convincing, and deployed on a larger scale,” Mitrovic wrote, “People are busy, and this scam sounds legitimate enough, looks legitimate enough—I give them an A for effort. Many people are likely to fall for it.”
Mitrovic said he received a notification requesting approval for the recovery of his Gmail account, but he declined. About 40 minutes later, he received a call with the caller ID showing “Google Sydney,” which he also rejected.
“A whole week later, almost at the same time, I received another notification from the US requesting approval for the recovery of my Gmail account.”
“You guessed it—about 40 minutes later, I answered a call. This time it was an American voice, very polite and professional. The number was from Australia. He introduced himself and said there were suspicious activities on my account.”
The caller then asked Mitrovic if he was traveling, to which Mitrovic replied that he was not. The caller then asked if Mitrovic was in Germany, to which he also replied negatively.
Mitrovic discovered that the incoming number displayed was an official number listed under “Google Australia” IT support page. He added that he requested the caller to provide a confirming email, and the sender address seemed to be an official account used by the Google team.
“In the background, I could hear someone typing on a keyboard throughout the call, with some background noise typical of a call center,” Mitrovic wrote. “He told me he had sent an email. A moment later, the email arrived, at first glance, it looked legitimate—the sender was from a Google domain.”
However, the researcher pointed out that it is quite easy to forge email addresses, noticing that the “To” field included an artfully named email address as “Google mail in InternalCaseTracking.com” (non-Google domain).
He remarked that during the subsequent call, he suddenly realized the voice was generated by artificial intelligence, “because the pronunciation and spacing were too perfect.”
Mitrovic ended the call, then dialed back the number. Shortly after, he received a message stating “This is Google Maps, we are currently unable to answer your call.”
The researcher noted he was not the only one who almost fell for the scam and found others who expressed they were also targeted by similar schemes.