Gmail warns users to secure accounts after ‘malicious’ AI hack confirmed

Sophisticated scams fueled by artificial intelligence are threatening the security of billions of Gmail users. security warning issued

As AI-powered phone calls mimicking human voices have become incredibly realistic, a new report from Forbes warned that the email service’s 2.5 billion users could be targeted by “malicious” actors that are employing AI to dupe customers into handing over credentials.

The outlet reported that the cybercriminals deploy phone calls posing as Google support — complete with a caller ID that looks convincingly legitimate. The technician might say the person’s account has been compromised in some way, or that they are attempting an account recovery.

The so-called support agent will then send an email to the user’s Gmail account from what appears to be a legitimate Google email address to confirm the account was compromised and receive a code to recover the account.

For Zach Latta, the founder of the Hack Club, this is where he stopped the elaborate scam.

“She sounded like a real engineer, the connection was super clear, and she had an American accent,” Latta told Forbes.

Despite how real the voice on the other end of the line sounds, however, it is a scheme to trick customers into handing over precious login information to gain access to their accounts.

Garry Tan, the founder of venture capital firm Y Combinator, issued a “public service announcement” on X after receiving convincing phishing emails and phone calls.

“They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account,” he wrote. “It’s a pretty elaborate ploy to get you to allow password recovery.”

Simiarly, Sam Mitrovic, a Microsoft solutions consultant, experienced the same phenomenon months ago, according to a blog post written at the time.

He recalled receiving a Google account recovery attempt notification, followed less than an hour later by a phone call that looked like it was from the tech company, but he ignored it. A week later, it happened again. This time, he picked up.

“It’s an American voice, very polite and professional. The number is Australian,” he recounted, adding that he verified the phone number on an official Google support page.

“He introduces himself and says that there is suspicious activity on my account. He asks if I’m traveling, when I said no, he asks if I logged in from Germany to which I reply no.”

Then, the agent informs Mitrovic that “someone has had access to my account for a week” and was offering to help him secure it, but, luckily, he noticed that the follow-up email sent by the caller was a spoofed email address and stopped answering.

“The caller said ‘Hello,’ I ignored it then about 10 seconds later, then said ‘Hello’ again,” he described. “At this point I released it as an AI voice as the pronunciation and spacing were too perfect.”

Upon double-checking his log-in sessions in his Google account settings, he saw that the only log-ins were his own.

“Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people,” he warned.

“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale.”

To protect yourself and your accounts from malicious actors, Forbes advised turning on “Advanced Protection,” which, according to a Google spokesperson, “takes extra steps to verify your identity” with the use of passkeys and smart keys to keep your account secure, even if hackers have your credentials.