Beware of the New Gmail Scams That Are Fooling Security Pros

Scammers are stepping up their game with increasingly sophisticated Gmail scams powered by AI, and they're so convincing that even security experts have been in danger of falling victim. These scams are aimed at resetting your Gmail password and taking control of your account. Once scammers have control, they could use your email to get into other accounts, such as your bank and investment accounts, or steal your identity.

Here's how these scams work, how they differ from traditional phishing attempts, and, most importantly, how you can protect yourself.

How the scam works: AI meets social engineering

At the heart of this Gmail takeover scam is a combination of traditional social engineering and advanced AI. It typically begins with a fake Gmail two-factor authentication (2FA) account recovery notification sent to the target's inbox. If you confirm the 2FA, you've given the scammer the ability to take over your account. However, if you ignore it (and here's where things get interesting), you receive a follow up 2FA email and then a phone call supposedly from Google. The scammer, using an AI-generated voice that sounds eerily professional and human, claims there’s suspicious activity on the account and to confirm the 2FA. They create a sense of urgency, perhaps saying someone has accessed the account from a foreign country and stolen sensitive data, in order to have you click. And if you do, and the trap is sprung.

This is not a theoretical threat; it’s actively happening and is sophisticated enough to almost trick security experts. Sam Mitrovic, an IT professional and tech blogger, shared his near-miss in his post “Gmail Account Takeover: Super Realistic AI Scam Call.”

Mitrovic explained that what made the scam so convincing was the follow-up email, sent a week later, appeared legitimate – complete with Google branding. However, subtle details that most people would not notice, such as a spoofed "From" field, revealed that it was a fake.

Why these scams are different

Compared to traditional phishing emails, which often contain grammar errors, broken links, or mismatched logos, these new AI-powered attacks are polished and sophisticated. The AI-generated voices make the phone calls sound human, not like the typical robotic scammer voice. This approach adds another layer of authenticity, making the scam more difficult to detect and much more dangerous.

Another key difference is the real-time interaction. Phishing emails usually don’t involve live conversations, but these scammers use AI to engage the victim directly through phone calls. They patiently build trust by mimicking Google’s procedures, such as asking about your travel history or recent login attempts. This slow, calculated manipulation can easily bypass our usual suspicion of phishing attempts.

How to spot the warning signs

While these scams are hard to detect, there are a few red flags that can help you avoid falling victim:

Unexpected recovery notifications

Always be suspicious of recovery alerts you didn’t request.

Calls from ‘Google’

Google rarely calls individual users unless you have a business account. If you receive a phone call claiming to be from Google, it’s a good idea to hang up and verify through official Google support channels. Keep in mind that phone numbers are easily spoofed, too.

Emails from 'Google'

Pay attention to the details in emails you receive. Spoofed emails often have subtle signs, such as domain names that aren't exact matches for those you're familiar with or a suspicious sender field.

Read more: How to Tell if an Email Has Been Spoofed

Sense of urgency

Scammers often pressure you to act quickly to prevent you from thinking things through. If a caller is insisting that you act immediately, step back and assess the situation critically.

The future of phishing detection: phishing intelligence sharing

One promising development in the fight against phishing attacks is phishing intelligence sharing. This involves a network of tech organizations, cybersecurity firms, and government agencies collaborating in real-time to share information about new and emerging threats. Initiatives like CISA’s Automated Indicator Sharing (AIS) enable security teams to exchange data rapidly, making it easier to detect phishing patterns across platforms.

Google and other tech companies are already participating in such efforts, and this collaborative approach is key in spotting and flagging fake emails before they even reach you. But don't let down your guard, knowing the red flags remains a crucial part of staying safe.

[Image credit: concept rendering of a robot working at a computer generated by DALL-E]

For the past 20+ years, Techlicious founder Suzanne Kantra has been exploring and writing about the world’s most exciting and important science and technology issues. Prior to Techlicious, Suzanne was the Technology Editor for Martha Stewart Living Omnimedia and the Senior Technology Editor for Popular Science. Suzanne has been featured on CNN, CBS, and NBC.

News, Computers and Software, Internet & Networking, Computer Safety & Support, Blog, Privacy