Don’t Fall for This ‘New’ Google AI Scam
Tech headlines are abuzz this morning about a new artificial intelligence scam targeting Google users. Forbes published an article detailing two scammer cases, both of which likely involved AI-generated phone calls and multi-step schemes. Here’s the thing, though: these scams aren’t necessarily “new” and you should be wary of them, whether the attacker claims to be from Google or not.
Beware of Google Account Scams
The Forbes report cites two specific but similar examples of this type of scam: One victim, Microsoft’s Sam Mitrovic, was alerted to an account recovery request, which, if legitimate, typically triggers when someone forgets their password. Since unscheduled account recovery requests are often malicious in nature, Mitrovic ignored the warning, but just 40 minutes later he received a call from Google Support. Mitrovic also ignored this call, but soon after received another warning, followed by a call to Google support 40 minutes later.
This time, Mitrovic replied, he wanted to find a “representative” with an American accent, who asked whether Mitrovic had recently traveled, specifically to Germany. The answer was negative, leading the representative to warn Mitrovic that someone had been accessing his account from Germany within the last seven days and had already downloaded data from the account. Mitrovic even Googled the phone number that “Google Support” was calling from and found that it led to the official Google support page . At first glance, you might think this confirms that this is actually Google Help Desk, but read the page closer and you’ll see that this phone number is the phone number Google Assistant uses to call businesses, not Help Desk Google. After all, it was a scam.
Another Forbes example involves Harry Tan, the founder of Y Combinator, who reports that he was also a victim of a similar scam. Tan also received a call from Google Support stating that they had Tan’s death certificate and a family member was trying to use it to access Tan’s account. Google support called to confirm that Tan was indeed alive and to share an account recovery request that Tan could use to “verify” that his account was active. This last point is the real scam: Tan emphasizes that the account recovery request was definitely fraudulent because the “device” the request came from was what Google support said it was from, not the actual device. Someone is tampering with this field, and if Tan had clicked “Yes, it’s me” when alerted, the attacker could have reset the password on Tan’s Google account.
This tweet is currently unavailable. It may be downloading or has been deleted.
Although it cannot be confirmed, it appears that the phone calls used in each example were made using artificial intelligence. Mitrovic and Tan confirm that the voices were convincing, but in Mitrovic’s case the “caller” said “hello” and after no answer repeated “hello” again in the same manner. This, combined with the perfect pronunciation and spacing, convinced Mitrovic that the voice was in fact artificial intelligence —clear signs of AI-powered generative audio .
In practice, this scam is nothing new.
While there is a lot of buzz about this new type of AI scam, the basic tactics are pretty classic. You can protect yourself by knowing what to watch out for, whether attackers are using AI or not.
First, big tech companies like Google don’t just suddenly call you to warn you about a potential breach of your account security. In fact, Google and companies like it are notorious for their lack of human support in general . If you can’t reach a real person when you consciously need help, there’s no chance a Google representative will reach out to you first. So, whether it’s a convincing AI voice on the other end of the phone or a rather terrible human actor pretending to be a live Google representative, a call from such a company should be a big enough red flag to ignore the call. situation.
On the other hand, we have a request for account recovery. This is a textbook scam method: activate an account recovery alert on the user’s end and convince them that accepting it means they are confirming their identity. This is simply not what this system is designed for, and hackers are counting on you to fall for it. Account recovery requests are expected to be initiated by you whenever you are otherwise unable to access your account, perhaps in the event that someone has actually hacked your account. You report this to Google and they send an account recovery request to the email address you provided. You open this email, click “Yes, it’s me,” and you can continue with the account recovery process. No one else is involved in this process and the request is not used for any other purpose.
Hackers, however, will pretend to be Google support staff and say that this account recovery request is just a way to verify your identity or that your account is active. However, when you click the “Yes, it’s me” button, you start the account recovery process on their end. They now have the ability to break into your account and potentially lock you out and steal your information.
Bottom line: If you didn’t trigger this account recovery alert yourself, it’s illegal. Don’t click on it.
If you are afraid of being hacked
If you receive a phone call or similar message, it is most likely an attacker looking for a phishing victim. Without your participation, they will simply move on to another victim. However, it’s a good idea to take a few steps to make sure your account is actively protected.
With your focus on Google, you can go to your Google Account Security Settings page to view a dashboard of your account’s security status. Here you’ll see all your active sessions, whether Google has any security alerts you can manage, and settings for things like two-factor authentication, passwords, access keys, recovery email addresses, and phone numbers, among other things.
If you’re concerned about the current security level of your account, take a look at your active sessions: This is where you’re currently logged in. If you don’t recognize the device or location, you can click on it and sign out of your account. Just know that if you use a VPN or Apple’s iCloud Private Relay , you may be seeing sessions from unknown locations on your trusted devices because these services hide where your actual internet traffic is coming from.
It’s also a good idea to change your password from time to time and make sure you’re using two-factor authentication (2FA). This way, if an attacker finds out your password, you will have an additional authentication step that will require a trusted device, which the attacker most likely does not have. Also consider setting up passwords , which combine the best of both worlds: passwords and 2FA.
After all, the attackers using these scams cannot hack your account themselves—that’s why they target you. They need you to click on their malicious links or authenticate on their behalf. If your password is strong and you have other forms of authentication as a backup, the best way to avoid falling victim to this type of scam is to simply ignore them.