New AI scam targets Gmail users with fake account recovery requests

A sophisticated AI scam targeting Gmail users has emerged, tricking individuals into approving fake account recovery requests to steal personal data. IT consultant Sam Mitrovic shares his encounter with this scam, detailing the deceptive tactics used to gain access to users' information.

In Short

• AI-based scam targets Gmail users through fake account recovery requests
• Scammers use professional-sounding AI voices and fake emails
• Gmail users can stay safe by denying unexpected recovery requests

A new and sophisticated scam has been targeting Gmail users, aiming to steal personal data by tricking people into approving fake account recovery requests. IT consultant and tech blogger Sam Mitrovic recently shared his experience of the scam in a detailed blog post, highlighting how easily users could fall for this clever AI-based deception.

How the Scam Works

The scam begins with an unexpected notification on your phone or email, asking you to approve a Gmail account recovery request that you never initiated. The recovery request often originates from a different country, in Mitrovic’s case, the United States. If you decline the request, as Mitrovic did, the scammers make a second move about 40 minutes later—a phone call from what appears to be an official Google number.

The call, as reported by Mitrovic, is extremely convincing. The caller uses a professional, polite, American-sounding voice and informs the target about suspicious activity on their Gmail account. They might ask if you have logged in from a foreign country, raising alarm and making the user more likely to believe them. The number displayed as the caller ID might even appear to be from a Google office, further enhancing the scam’s legitimacy.

Once the scammer has the user’s attention, they claim that someone has accessed the account and downloaded sensitive information. They often follow up by sending an email that appears to be from Google but is actually a spoofed email designed to look legitimate. The goal is to convince the victim to approve the account recovery request, which would give the scammers full access to their Gmail account.

How Gmail Users Can Protect Themselves

Mitrovic emphasizes the importance of vigilance in protecting against this scam. Here are a few steps Gmail users can take to stay safe:
Do not approve recovery requests you did not initiate: If you receive a recovery notification out of the blue, do not approve it. This is the first sign that your account might be targeted.

Verify phone calls claiming to be from Google: Google rarely calls users directly unless you are involved with Google Business services. If you receive a suspicious call, hang up and verify the phone number before engaging.

Check email addresses carefully: Spoofed emails can look like they are from Google, but small details such as the “To” field or domain name can give away that they are fake.

Review recent security activity: Regularly check your Gmail account’s security settings and review the recent activity for any unfamiliar logins. This can be done by going to your Gmail account settings and clicking on the “Security” tab.

Inspect email headers: For more tech-savvy users, checking the original email headers can reveal whether an email was sent from a legitimate Google server or not.

By following these steps and staying alert, Gmail users can protect themselves from this growing AI-based scam. The key takeaway is to be cautious and double-check any unusual activity on your account.