New AI scam targets Gmail users with fake account recovery requests

A sophisticated new scam has targeted Gmail users, aiming to steal personal data by tricking people into approving fake account recovery requests. IT consultant and tech blogger Sam Mitrovic recently shared his experience of the scam in a detailed blog post, highlighting how easily users could fall for this clever AI-based deception.

How the scam works

The scam starts with an unexpected notification on your phone or email, asking you to approve a Gmail account recovery request that you never initiated. The recovery request often comes from a different country, in Mitrovic’s case, the United States. If you decline the request, as Mitrovic did, the scammers make a second move about 40 minutes later: a phone call from what appears to be an official Google number.

The call, according to Mitrovic, is very convincing. The caller uses a professional, polite, American-sounding voice and informs the target of suspicious activity on their Gmail account. You may be asked if you are logged in from a foreign country, raising the alarm and making the user believe it more. The number displayed as caller ID may even appear to come from a Google office, further enhancing the legitimacy of the scam.

Once the scammer has the user’s attention, they claim that someone has accessed the account and downloaded sensitive information. They often keep sending an email that appears to be from Google, but is actually a spoofed email designed to look legitimate. The goal is to convince the victim to approve the account recovery request, which would give the scammers full access to their Gmail account.

How Gmail users can protect themselves

Mitrovic stresses the importance of vigilance to protect yourself from this scam. Here are some steps Gmail users can take to stay safe:
Don’t approve recovery requests you didn’t initiate: If you receive a recovery notification unexpectedly, don’t approve it. This is the first sign that your account may be targeted.

Verify phone calls claiming to be from Google: Google rarely calls users directly unless you are involved with Google Business services. If you receive a suspicious call, hang up and verify the phone number before participating.

Check email addresses carefully: Spoofed emails may look like they’re from Google, but small details like the “To” field or the domain name can reveal that they’re fake.

Review recent security activity: Regularly check your Gmail account security settings and review recent activity for unknown logins. This can be done by going to your Gmail account settings and clicking on the “Security” tab.

Inspect email headers: For more tech-savvy users, checking the original email headers can reveal whether or not an email was sent from a legitimate Google server.

By following these steps and staying alert, Gmail users can protect themselves from this growing AI-based scam. The key is to be cautious and check for any unusual activity on your account.