Sam Metrovich, a Solutions Consultant at Microsoft, issued a security warning after nearly falling victim to what he described as a “hyper-realistic AI-powered scam call” capable of deceiving even the most experienced users, according to a Forbes report.
The story began a week before Metrovich realized the complexity of the attack targeting him. He wrote a blog post warning Gmail users about a threat that begins with a message stating, “I received a notification approving the recovery of my Gmail account.”
The approach starting with a warning about account recovery or the need to reset a password is a well-known scam tactic, aimed at driving users to a fake page where they enter their login credentials, which are then stolen.
Unsurprisingly, Metrovich didn’t fall for this trap and ignored the notification that appeared to come from the United States. However, what Metrovich didn’t notice was a missed phone call about 40 minutes after the notification, which showed up as being from Google in Sydney, Australia.
So far, this seems simple and easy to avoid. But exactly a week later, the unexpected began when Metrovich received another account recovery notification, followed by a phone call 40 minutes later. This time, Metrovich didn’t miss the call but answered it. On the other end was a voice that sounded American, claiming to be from Google support, confirming suspicious activity on the Gmail account. Metrovich said, “He asked if I was traveling, and when I said no, he asked if I had logged in from Germany, to which I also said no.” All of this was to build trust in the caller and instill fear in the person receiving the call.
At this point, things took a malicious turn. The caller (the fake Google support employee) informed Metrovich that a hacker had accessed his Gmail account 7 days ago (the period when he received the first notification) and had downloaded the account data. This set off alarm bells for Metrovich, as he remembered the notification and missed call from the previous week.
Metrovich rushed to Google’s search engine and typed the phone number that called him into the search box. He discovered that this number did indeed lead to pages related to Google. This alone is a clever tactic likely to deceive many uninformed users, as it wasn’t Google’s support number but rather a number related to receiving calls from Google Assistant.
How did Metrovich handle the scam call?
Metrovich asked the alleged person to send a confirmation via email to verify the authenticity of the matter. What happened next?
The email actually arrived from a Google domain and appeared genuine at first glance. However, at this point, he noticed that a certain field contained a cleverly hidden address that wasn’t from a Google domain but could fool people without technical expertise. What made Metrovich suspect the call was when the caller said hello, and after no response, said hello again. Metrovich said, “At this point, I realized it was an AI voice because the pronunciation and spacing were too perfect.”
It’s almost certain that the attacker wanted to reach the account recovery stage, set a new password, and then take control of the account. It’s also likely that some form of malware was used to steal session cookies to bypass two-factor authentication if it was enabled.
Protection from scam calls
AI-based deep fakes are being used to hack accounts in unexpected ways, as in this case. To avoid these attacks, remain calm if someone claiming to be from Google support contacts you. Google support never calls users, so this is immediately a big red flag.
In these situations, no harm will come to you if you hang up the phone. You can search for the calling phone number and find out where it came from.
Check your Gmail activity to see if any devices other than yours are using the account. Most importantly, don’t rush to react spontaneously, regardless of how urgent the conversation seems. This sense of urgency is what attackers rely on to alter your natural good judgment and make you click on a link or provide your credentials.
Related
Discover more from Comprehensive Product Reviews: Your Trusted Source
Subscribe to get the latest posts sent to your email.