All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
Gmail users have been placed on red alert over a "devastating" new AI-powered scam that combines phone calls and fake emails to steal access to your email account. This ruinous combination could lead to devastating financial losses and identity theft, security experts have warned.
This troubling trend was first identified by the FBI last year, but cybersecurity experts at Malwarebytes have now issued fresh guidance to all 1.8 billion Gmail account-holders worldwide as more people fall victim to the scam.
The attacks target Gmail recovery codes to wrestle complete control of accounts.
For those who don't know, these one-time codes are generated by Google and sent out whenever you're struggling to log in to your account. This code can be sent to an email address to a phone number, an Authenticator app, or a notification to another device that's already logged in.
- View Deal | Get started with 1Password for FREE
- View Deal | LastPass offers FREE 30-day trial
- View Deal | Get started with NordPass for FREE
- View Deal | Dashlane includes a VPN with all plans
Hackers want to steal your Recovery Code — a one-time password that's sent during the password reset process and grants complete access to your Google account
GOOGLE PRESS OFFICE
The latest slew of attacks rely on Artificial Intelligence (AI) to craft convincing communications that trick even the most vigilant users. Well-known tricks — like misspelt words or bad grammar — to spot that an email purporting to be from a large multi-national company, like a bank or technology firm, no longer work with AI.
Falling for these scams can led to catastrophic personal and financial damage, experts warn. So, how does this Gmail scam work ...and what should you do to shield yourself?
According to the experts at Malwarebytes — the anti-virus firm, this dangerous scam typically begins with a phone call from someone who informs you that your Gmail account has been compromised.
"The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account," Pieter Arntz, who serves as a Malware Intelligence Researcher at Malwarebytes, wrote in a blog post highlighting the issue.
"Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.
"With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft."
If criminals steal your recovery code, they'll not only gain access to your Gmail inbox, but your entire Google Account. This links to services like Google Calendar — potentially revealing when you're going to be home, and making it easier to commit identity theft. Other websites and subscription services where you've used the "Sign In With Google" button could also be compromised in this attack too.
Speaking about the impact, FBI Special Agent in Charge Robert Tripp said: "Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike.
"These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data."
Since this initial warning from the FBI over nine months ago, cybersecurity experts report the number of people being targeted has only increased, with criminals deploying increasingly sophisticated methods.
Microsoft solutions consultant Sam Mitrovic shared his first-hand experience with the scam after receiving a notification about a Gmail account recovery attempt. This was quickly followed by what seemed to be a genuine phone call claiming suspicious activity on his account.
Fortunately, the Microsoft executive recognised something was awry and had the presence of mind to end the call before any sensitive information was shared.
"The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale," Mitrovic explained. "People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it."
Google Account brings together several services from the Californian company, including Gmail, Google Calendar, Google Meet, and more
GETTY IMAGES
LATEST DEVELOPMENTS
- BT will PAY YOU up to £100 if you ditch your current broadband
- Sky Mobile confirms price rise for thousands this week
- Best Sky Glass deals
- Thousands to test one-of-its-kind EE upgrade in UK
- Latest IPTV crackdown blocks millions in UK from free streams
- Sky Mobile confirms price rise
Malwarebytes has issued comprehensive guidance to help Gmail users protect themselves from these AI-powered attacks. It warns that Gmail users should:
- Enable multi-factor authentication (MFA) on all accounts
- Never click on links or download files from unexpected emails or messages
- Only enter your personal information on websites that are confirmed to be legitimate
- Use a dedicated password manager — like Apple Passwords, 1Password, or LastPass — to autofill credentials
- Monitor your accounts regularly for signs of unauthorised access
- Check security alerts by navigating directly to the Google Account webpage, not using email links
- Make sure your devices are running the latest software and security updates
- Activate text message filtering on your smartphone
Alongside the AI-powered account recovery scams, the FBI also issued a warning about a rise in fake websites designed to trick you into entering your email address and password, the Daily Mirror reports.
