New AI Spoofing Scam Targets Millions of Gmail Users—Here's How to Be Safe

A new scam is making its way through the Gmail ecosystem, using AI-powered tools to trick users into handing over access to their accounts. Security expert Sam Mitrovic, founder of CloudJoy, recently shared his experience with the scam, shedding light on how sophisticated these tactics have become.

With Gmail serving over 2.5 billion users worldwide, these attacks highlight the growing threat of AI-driven scams aimed at digital accounts.

How the Scam Works

The scam starts with a Gmail recovery notification that appears legitimate but wasn't initiated by the user. In Mitrovic's case, the recovery request originated from another country-one he had no association with. Declining the request, however, didn't put an end to the scam. About 40 minutes later, Mitrovic received a phone call that appeared to come from an official Google number.

The caller, posing as a Google representative, mentioned suspicious overseas activity on the account and claimed that sensitive data had been accessed. This tactic raises alarm and often convinces users that their account is at risk. To build further credibility, the scammer followed up with an email that appeared to come from a Google domain. Their goal is to persuade the target to approve the recovery request, giving the attackers complete access to the Gmail account.

How Hackers Use AI to Enhance Spoofing Attempts

What makes this scam particularly dangerous is the use of AI to simulate realistic conversations. As Mitrovic pointed out, the voice on the other end of the call was polite, professional, and highly convincing-mimicking how a legitimate Google support call might sound. The caller ID even matched a phone number listed on Google's support page, making it difficult for users to detect the deception.

In a follow-up attempt, the scammer reached out again using the same recovery request tactic and another call that appeared to originate from "Google Sydney." These multiple, well-timed efforts showcase how scammers leverage AI-powered tools and spoofing techniques to create a sense of urgency and trust.

How to Protect Your Gmail Account

While the scam is difficult to spot, there are several ways Gmail users can protect their accounts from these deceptive tactics:

• Ignore Recovery Requests You Didn't Initiate: If you receive a recovery notification you weren't expecting, don't approve it. This is the first sign that your account may be targeted.
• Verify Suspicious Calls: Google rarely contacts users via phone unless it relates to a Google Business account. Hang up if you receive a suspicious call and verify the number independently using tools like Truecaller.
• Inspect Email Details Carefully: Emails that appear to be from Google might still be spoofed. Check the sender's address closely and look for any inconsistencies in the domain or "To" field.
• Monitor Your Account Activity: Regularly check your Gmail security settings and activity logs for unfamiliar logins. You can do this by navigating to "Manage Your Google Account" and selecting the "Security" tab.
• Enable Two-Factor Authentication (2FA): Adding an extra layer of security with 2FA makes it harder for attackers to gain unauthorized access, even if they have your password.

Stay Alert, Stay Secure

By staying vigilant and following these protective measures, you can significantly reduce the risk of falling victim to this AI-based phishing scam. Remember, caution is key. Double-check any unusual activity on your account and don't hesitate to contact Google directly if unsure about a communication.