Gmail Account Takeover Super Realistic AI Scam Call Sam Mitrovic
This is a story of a super realistic AI scam call that could trick a vast number of people.
Don’t be one of them.
Read on.
The Scam: How It Works
Recently I received a notification to approve a Gmail account recovery attempt.
The request originated from the United States.
I denied the request and about 40 minutes later received a missed call. The missed call showed caller ID as Google Sydney.
I soon forgot about this.
*****
Exactly a week later, more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.
You guessed it – about 40 minutes later I receive a call which I pick up this time.
It’s an American voice, very polite and professional. The number is Australian.
He introduces himself and says that there is suspicious activity on my account.
He asks if I’m travelling, when I said no, he asks if I logged in from Germany to which I reply no.
He says that someone has had access to my account for a week and that they have downloaded the account data (I then get a flashback of the recovery notification a week before).
In the meantime, I Google the phone number which leads me to official Google documentation.
Google Number
The number seems legit although I’m aware just how easy it is to spoof the number.
Then I ask him to send me an email. He politely says he will do so and to give him a moment.
In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre.
He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit – the sender is from a Google domain.
Google Email
However, again spoofing an email address is easy and I notice that the To field contains an email address cleverly named GoogleMail at InternalCaseTracking dot com (non-Google domain).
The caller said Hello, I ignored it then about 10 seconds later, then said Hello again. At this point I released it as an AI voice as the pronunciation and spacing were too perfect.
I was in the car at this point, parked.
I hung up and drove home to do some more digging.
At that moment it struck me – if it was really an AI call, I could have “reprogrammed” it and prompted it to sing me a song etc.
I called back but it went to voicemail along the lines of: This is Google Maps, we are currently unable to take your call…
Alas, maybe next time.
*****
At home, I checked the sign in activity [sidebar: you can do this by clicking on your Gmail profile photo in top right corner then Manage your Google Account then click Security on the left hand side menu and look under the Recent security activity subheading].
The only log in sessions were my own.
Then I looked at the email headers [sidebar: open the email, click three dots in top right corner then Show original].
Email Header 1
Email Header 2
Email Header 3
The header showed how they spoofed the sender email address. They are using Salesforce CRM which allows you to set the sender to whatever you like and send over Gmail/Google servers.
Someone Got Tricked
After further digging, I came across this comment on Reddit (similar email to what I received).
Reddit Comment
Unfortunately, while doing a reverse phone number search I came across a person who thought it was a genuine call from Google (of course, the comment could have been made by scammers themselves).
Reverse Australia
Recap
If I stayed on the call long enough, I believe the next step would be to approve the account recovery notification. After that, they would have gained control of the account.
Here is a recap of the call:
The caller seemed legit (courteous, professional, super realistic American AI voice).
The phone number seemed legit.
The email seemed legit.
However, there were a few giveaways that this was an account takeover attempt including:
I received account recovery notifications which I didn’t initiate.
Google doesn’t call Gmail users if you don’t have Google Business Profile connected.
The email contained a To email address not connected to a Google domain.
There were no other active sessions on my Google account apart from my own.
Email headers showed how the email was spoofed.
Reverse number search showed others who received the same scam call.
Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people. My guess is that their conversion rate from calls answered would be relatively high.
Takeaway
The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.
People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.
There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.
Don’t be one of them.
Read on.
The Scam: How It Works
Recently I received a notification to approve a Gmail account recovery attempt.
The request originated from the United States.
I denied the request and about 40 minutes later received a missed call. The missed call showed caller ID as Google Sydney.
I soon forgot about this.
*****
Exactly a week later, more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.
You guessed it – about 40 minutes later I receive a call which I pick up this time.
It’s an American voice, very polite and professional. The number is Australian.
He introduces himself and says that there is suspicious activity on my account.
He asks if I’m travelling, when I said no, he asks if I logged in from Germany to which I reply no.
He says that someone has had access to my account for a week and that they have downloaded the account data (I then get a flashback of the recovery notification a week before).
In the meantime, I Google the phone number which leads me to official Google documentation.
Google Number
The number seems legit although I’m aware just how easy it is to spoof the number.
Then I ask him to send me an email. He politely says he will do so and to give him a moment.
In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre.
He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit – the sender is from a Google domain.
Google Email
However, again spoofing an email address is easy and I notice that the To field contains an email address cleverly named GoogleMail at InternalCaseTracking dot com (non-Google domain).
The caller said Hello, I ignored it then about 10 seconds later, then said Hello again. At this point I released it as an AI voice as the pronunciation and spacing were too perfect.
I was in the car at this point, parked.
I hung up and drove home to do some more digging.
At that moment it struck me – if it was really an AI call, I could have “reprogrammed” it and prompted it to sing me a song etc.
I called back but it went to voicemail along the lines of: This is Google Maps, we are currently unable to take your call…
Alas, maybe next time.
*****
At home, I checked the sign in activity [sidebar: you can do this by clicking on your Gmail profile photo in top right corner then Manage your Google Account then click Security on the left hand side menu and look under the Recent security activity subheading].
The only log in sessions were my own.
Then I looked at the email headers [sidebar: open the email, click three dots in top right corner then Show original].
Email Header 1
Email Header 2
Email Header 3
The header showed how they spoofed the sender email address. They are using Salesforce CRM which allows you to set the sender to whatever you like and send over Gmail/Google servers.
Someone Got Tricked
After further digging, I came across this comment on Reddit (similar email to what I received).
Reddit Comment
Unfortunately, while doing a reverse phone number search I came across a person who thought it was a genuine call from Google (of course, the comment could have been made by scammers themselves).
Reverse Australia
Recap
If I stayed on the call long enough, I believe the next step would be to approve the account recovery notification. After that, they would have gained control of the account.
Here is a recap of the call:
The caller seemed legit (courteous, professional, super realistic American AI voice).
The phone number seemed legit.
The email seemed legit.
However, there were a few giveaways that this was an account takeover attempt including:
I received account recovery notifications which I didn’t initiate.
Google doesn’t call Gmail users if you don’t have Google Business Profile connected.
The email contained a To email address not connected to a Google domain.
There were no other active sessions on my Google account apart from my own.
Email headers showed how the email was spoofed.
Reverse number search showed others who received the same scam call.
Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people. My guess is that their conversion rate from calls answered would be relatively high.
Takeaway
The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.
People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.
There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.
