Infosec

Gmail Account Takeover: Super Realistic AI Scam Call

This is a story of a super realistic AI scam call that could trick a vast number of people.

Don’t be one of them.

Read on.

The Scam: How It Works

Recently I received a notification to approve a Gmail account recovery attempt.

The request originated from the United States.

I denied the request and about 40 minutes later received a missed call. The missed call showed caller ID as Google Sydney.

I soon forgot about this.

*****

Exactly a week later, more or less exactly the same time, I received another notification to approve my Gmail account recovery again from the United States.

You guessed it – about 40 minutes later I receive a call which I pick up this time.

It’s an American voice, very polite and professional. The number is Australian.

He introduces himself and says that there is suspicious activity on my account.

He asks if I’m travelling, when I said no, he asks if I logged in from Germany to which I reply no.

He says that someone has had access to my account for a week and that they have downloaded the account data (I then get a flashback of the recovery notification a week before).

In the meantime, I Google the phone number which leads me to official Google documentation.

Google Number

The number seems legit although I’m aware just how easy it is to spoof the number.

Then I ask him to send me an email. He politely says he will do so and to give him a moment.

In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre.

He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit – the sender is from a Google domain.

Google Email

However, again spoofing an email address is easy and I notice that the To field contains an email address cleverly named GoogleMail at InternalCaseTracking dot com (non-Google domain).

The caller said Hello, I ignored it then about 10 seconds later, then said Hello again. At this point I released it as an AI voice as the pronunciation and spacing were too perfect.

I was in the car at this point, parked.

I hung up and drove home to do some more digging.

At that moment it struck me – if it was really an AI call, I could have “reprogrammed” it and prompted it to sing me a song etc. 

I called back but it went to voicemail along the lines of: This is Google Maps, we are currently unable to take your call…

Alas, maybe next time.

*****

At home, I checked the sign in activity [sidebar: you can do this by clicking on your Gmail profile photo in top right corner then Manage your Google Account then click Security on the left hand side menu and look under the Recent security activity subheading].

The only log in sessions were my own.

Then I looked at the email headers [sidebar: open the email, click three dots in top right corner then Show original].

Email Header 1
Email Header 2
Email Header 3

The header showed how they spoofed the sender email address. They are using Salesforce CRM which allows you to set the sender to whatever you like and send over Gmail/Google servers.

Someone Got Tricked

After further digging, I came across this comment on Reddit (similar email to what I received).

Reddit Comment

Unfortunately, while doing a reverse phone number search I came across a person who thought it was a genuine call from Google (of course, the comment could have been made by scammers themselves).

Reverse Australia

Recap

If I stayed on the call long enough, I believe the next step would be to approve the account recovery notification. After that, they would have gained control of the account.

Here is a recap of the call:

  1. The caller seemed legit (courteous, professional, super realistic American AI voice).
  2. The phone number seemed legit.
  3. The email seemed legit.

However, there were a few giveaways that this was an account takeover attempt including:

  1. I received account recovery notifications which I didn’t initiate.
  2. Google doesn’t call Gmail users if you don’t have Google Business Profile connected.
  3. The email contained a To email address not connected to a Google domain.
  4. There were no other active sessions on my Google account apart from my own.
  5. Email headers showed how the email was spoofed.
  6. Reverse number search showed others who received the same scam call.

Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people. My guess is that their conversion rate from calls answered would be relatively high.

Takeaway

The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.

People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.

There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust.

For help with Infosec

Get started

Categories

Invite Me to Your Inbox 1-2 Times a Month!

More Microsoft knowledge and tips

Graphic showing people reading cyber security news

News

Microsoft Security News Roundup – August 2024

Welcome to my first roundup of the latest Microsoft security news. In this roundup, we will cover the Entra ID, Copilot for Security, Intune, ...

Continue reading
Mfa Sspr graphic

Entra ID

How to Migrate Legacy MFA & SSPR Authentication Methods in Microsoft Entra ID

In this post I’ll show you how to migrate the legacy Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) policies to the new unified ...

Continue reading
Windows 11 background

Windows

The Best Windows 11 Hidden Features, Tips & Tricks

In this post I’m going to share some of my favourite Windows features that might not be widely known. I use Windows 11 Pro ...

Continue reading