With nearly 2.5 billion users worldwide, Gmail has become a frequent target for scammers. Many Gmail users have encountered phishing emails impersonating well-known companies like Microsoft, Google, or Apple. While these scams are often easy to spot due to suspicious email addresses and red flags like poor grammar or urgent requests for personal information, some are becoming more elaborate.
Sam Mitrovic, a Microsoft solutions consultant, shared his experience of being targeted by a sophisticated Gmail scam. It began with a seemingly innocent notification:
“Recently, I received a notification to approve a Gmail account recovery attempt. The request originated from the United States. I denied the request and, about 40 minutes later, received a missed call. The missed call showed the caller ID as Google Sydney.”
Initially, Sam ignored the missed call, but exactly a week later, the same pattern repeated: another Gmail account recovery notification followed by a call. This time, he answered.
“It was an American voice, very polite and professional. The number was Australian. He introduced himself, saying there was suspicious activity on my account and asked if I had logged in from Germany. When I said no, he informed me someone had been accessing my account for a week and had downloaded the account data. That’s when I recalled the recovery notification from the week before.”
Sam quickly searched the caller’s phone number, which appeared in official Google documentation. Still suspicious, he asked the caller to send an email for verification. The email appeared legitimate at first glance, coming from a Google domain, but the “To” field contained a suspicious address: GoogleMail@InternalCaseTracking.com, which wasn’t affiliated with Google.
After further research, Sam realized the call wasn’t from a human but an AI, part of an increasingly dangerous phishing tactic designed to confirm account recovery or initiate password resets. When combined with AI calls and email spoofing, these scams become highly effective.
How Scammers Are Spoofing Google Emails
Mitrovic explained that scammers had spoofed the sender’s email address to appear as if it came from Google. Using Salesforce CRM, a platform that allows customization of sender information, scammers sent emails through Gmail and Google servers, making it harder to detect the scam.
Google was contacted for comment but did not respond by the time of publication.
5 Ways to Protect Yourself from Gmail AI Scams
- Understand Google’s Automated Support System: Google, with its billions of users, doesn’t call Gmail users unless they have a connected Google Business Profile. Be wary of anyone claiming to be from Google.
- Inspect Email Addresses Carefully: Always double-check the sender’s email address. In Sam’s case, the email included a suspicious recipient address not associated with Google. Verify any claims before taking action.
- Be Cautious with Links and Attachments: Avoid clicking on links or downloading attachments from unfamiliar or suspicious emails. Instead, type the URL directly into your browser.
- Enable Two-Factor Authentication (2FA): Add an extra layer of security by enabling 2FA on your accounts, which requires a second form of verification, making it more difficult for scammers to access your information.
- Regularly Monitor Your Accounts: Set up alerts for any suspicious login attempts or changes to your account details. Early detection can prevent significant damage.
The Role of AI in Modern Scams
While AI has numerous beneficial applications, it is increasingly being used by scammers to make their schemes more convincing. The Gmail AI scam is a prime example of how AI can make phishing attempts harder to detect, potentially fooling even cautious users.
It’s important for users to remain vigilant and for Google to continue improving its scam filters to prevent such phishing emails from reaching inboxes. By staying cautious and avoiding unknown links, users can protect themselves from falling victim to these increasingly sophisticated scams.