AI-powered scam targets 2.5 billion Gmail users with sophisticated phishing attacks

Gmail is used by nearly 2.5 billion users worldwide, making it a frequent target for scammers. If you use Gmail, you’ve probably come across phishing emails impersonating popular companies like Microsoft, Google, Apple, and others. These scams are often easy to spot due to suspicious email addresses and other warning signs, such as poor grammar or urgent requests for personal information.

However, there’s a new AI-powered scam making the rounds, and it’s much harder to detect unless you’re very careful. Wondering how these scams work and how you can protect yourself? I’ve got you covered. In this article I share a practical example and provide practical tips to protect your data.

GET SAFETY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

How does this scam work?

Sam Mitrovic, a Microsoft solutions consultant, shared his experience to be the target of an elaborate scam that preyed on Gmail users. He told how it all started with a seemingly innocent report:

“I recently received a notification to approve an attempted recovery of a Gmail account. The request was from the United States. I declined the request and about 40 minutes later I received a missed call. call, the caller ID was shown as Google Sydney.”

Sam shrugged off the missed call, but exactly a week later the pattern repeated itself. He received another recovery notification for a Gmail account from the US, again followed by a phone call. This time he answered.

“It’s an American voice, very polite and professional. The number is Australian. He introduces himself and says there is suspicious activity on my account. He asks if I’m traveling (sic). When I said no, he asks if I logged in from Germany to which I answer no. He says that someone has had access to my account for a week and that he or she has downloaded the account details (I then get a flashback of the recovery notification a week before).

Sam quickly Googled the phone number and it appeared in Google’s official documentation. Still skeptical, he asked the caller to send an email for verification. When the email arrived, the sender seemed legitimate at first glance, coming from a Google domain. However, Sam noticed a red flag: the “To” field contained an email address called GoogleMail at InternalCaseTracking dot com. This address does not belong to Google.

When Sam investigated, he discovered that the person on the other end of the line was not human, but AI. This approach is part of a well-known phishing methodology aimed at confirming account recovery or password resets. But when combined with AI calls and email spoofing, this scam becomes particularly dangerous.

Scammers can target Gmail’s account recovery notifications. (Kurt “CyberGuy” Knutsson)

WINDOWS FLAW ALLOWS HACKERS TO CUT YOUR PC VIA WI-FI

How do scammers spoof Google email address?

Mitrovic pointed out that scammers spoofed the sender’s email address to make it appear as if it came from Google. They used Salesforce CRM, a platform that allows users to customize sender information to whatever they want while sending emails via Gmail and Google servers.

CyberGuy reached out to Google for comment but did not receive a response by time of publication.

BEST ANTIVIRUS FOR MAC, PC, iPhoneS AND ANDROIDS – CYBERGUY-PICKS

Scammers can spoof Google’s email address. (Kurt “CyberGuy” Knutsson)

CYBERSCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS

5 Ways to Protect Yourself from Gmail AI Fraud

1) Understanding Google’s Automated Support System: Google has billions of users, so it takes significant resources to contact them about any issue. Everything is automated and Google doesn’t call Gmail users unless they have a linked Google Business Profile.

2) Inspect email addresses carefully: Always check the email address carefully. In this case, the email contained a recipient address that was not associated with a Google domain. Furthermore, there were no other active sessions on the victim’s Google account besides his own Google account.

3) Be careful with links and attachments: Do not click on links or download attachments from unknown or suspicious emails. Instead, navigate directly to the website by typing the URL into your browser.

The best way to protect yourself from malicious links that install malware and potentially gain access to your private data is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware attacks, keeping your personal data and digital assets safe. Discover my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices.

4) Enable two-factor authentication (2FA): Usage 2FA on your accounts to add an extra layer of security. This requires a second form of verification, such as a text message or authentication app, making it harder for scammers to gain access even if they have your password.

5) Check your accounts regularly: Monitor your accounts closely for unusual activity. Set notifications for login attempts and changes to your account information. Early detection can prevent further damage.

DON’T LET NEARBY SNOOPS LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP

Kurt’s most important takeaway

While AI has some useful applications, it is being more actively exploited by scammers to make their schemes more credible. The Gmail AI scam shows how AI can make scams harder to detect, and anyone who isn’t careful can fall victim to these scams. Google should work on improving its scam filters to ensure these scams don’t reach people’s mailboxes. You can also do your part by being careful and avoiding unknown links.

How confident are you that you can identify a scam? What sources do you use to educate yourself about online security? Let us know by writing to us at Cyberguy.com/Contact.