Arthur T Knackerbracket has processed the following story:
As exciting as genAI software might be, it also has side effects that we all need to be aware of. Since AI programs also offer human-like voice modes, it might be easy to have one of these AI models make calls for nefarious purposes.
One such scenario involves an AI impersonating a “very polite and professional” Google representative calling you from a spoofed number. The call is part of a hacker’s attempt to take over your Gmail account. The hack also involves creating fake Gmail recovery emails and fake support emails meant to further convince the victim they’re the target of an ongoing attack.
You might avoid falling prey to the attack if you’re tech-savvy enough. But unsuspecting Gmail users afraid that their account is in danger might end up giving the hacker their password by eventually “verifying” their Gmail account on a fraudulent site.
Sam Mitrovic was one of the targets of a Gmail account takeover hack. Luckily for him, he’s an experienced IT engineer who knew what to look for when prompted with the “evidence” that his account was in danger. He detailed his experience on his blog (via PCMag), explaining the simple steps you should take to reduce the risk of falling for the scam.
Initially, the engineer received a notification to approve a Gmail account recovery attempt that he ignored. Some 40 minutes later, he had a missed call with a “Google Sydney” caller ID.
Exactly a week later, the same thing happened. This was when he decided to pick up the call without realizing he might be talking to an AI made to sound like a human:
It’s an American voice, very polite and professional. The number is Australian.
He introduces himself and says that there is suspicious activity on my account.
He asks if I’m travelling, when I said no, he asks if I logged in from Germany to which I reply no.
He says that someone has had access to my account for a week and that they have downloaded the account data (I then get a flashback of the recovery notification a week before).
Tech-savvy or not, I’m sure this is the step when panic starts creeping in. Mitrovic asked the Google support person to send him an email. The voice said he would:
In the background, I can hear someone typing on the keyboard and throughout the call there is some background noise reminiscent of a call centre.
He tells me that he has sent the email. After a few moments, the email arrives and at a first glance the email looks legit – the sender is from a Google domain.
Thankfully for the IT specialist, he was careful enough to start checking things. While the phone number seemed legit, the email domain looked suspicious. It did not come from a Google server. That’s when he realized he must have been talking to an AI:
[...] The point of the whole thing is for the victim to eventually trust the Google rep and agree to verify their account. They would have probably clicked on a link taking them to a Google-like website. But it would have been a scam website meant to grab the password associated with the email account.
The engineer explains the “giveaways” that he was the target of a Gmail account takeover:
- I received account recovery notifications which I didn't initiate.
- Google doesn't call Gmail users if you don't have Google Business Profile connected.
- The email contained a To email address not connected to a Google domain.
- There were no other active sessions on my Google account apart from my own.
- Email headers showed how the email was spoofed.
- Reverse number search showed others who received the same scam call.
(Score: 3, Touché) by Anonymous Coward on Wednesday October 23, @02:30AM (3 children)
You can hang up at that point.
Google would never call you because you aren't their customer.
(Score: 2, Insightful) by Anonymous Coward on Wednesday October 23, @02:34AM (1 child)
That's like the farmer contacting one of his pigs... 😉
That said, if they're calling you should tell them to hold on for a moment (and just leave them on the line). Maybe you can tie up some capacity.
(Score: 0, Troll) by shrewdsheep on Wednesday October 23, @08:55AM
Right, you are the product not the customer. So why should a company call it's products? Well, that's easy: your product has to be briefed about dinner (https://philosophy.stackexchange.com/questions/15675/what-are-the-moral-consequences-of-a-douglas-adams-cow).
(Score: 2, Interesting) by Anonymous Coward on Wednesday October 23, @03:52AM
> Google would never call you because you aren't their customer.
As hinted at in tfa, Google does call *prospective* customers. I own a small business and they called (and sent snail mail cards too) to try and sign me up to buy various Google advert and other business services.
When they did call, they never said anything that sounded like the fraud described in tfa.