Billions of Gmail users prone to sophisticated AI spoofing: Here’s how to secure your account

src="https://indian-express-develop.go-vip.net/wp-content/themes/indianexpress/images/default-ie.jpg" data-lazy-type="lazyloading-image" data-src="https://images.indianexpress.com/2024/01/Gmail-Unsplash.jpg" alt="Gmail Draft with voice | Gmail new feature | Gmail" data-srcset="https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg 1600w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=450,253 450w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=600,338 600w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=768,432 768w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=720,405 720w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=1536,864 1536w, https://indian-express-develop.go-vip.net/wp-content/uploads/2024/01/Gmail-Unsplash.jpg?resize=150,83 150w" sizes="(max-width: 1600px) 100vw, 1600px" /> Last year, Gmail introduced a new AI-powered ‘Help me write’ button. (Image Source: Unsplash)

Sam Mitrovic, the founder of CloudJoy and an expert on security products, recently published a detailed blog on how he was recently duped. He received an email mimicking an approval notification for his Gmail account recovery. The rejection was followed by a phone call with the caller ID showing “Google Sydney”.

A week later, he received another Gmail recovery notification and a phone call. Just like the first time, the call came from a legitimate phone number listed on Google’s support page. The caller stated his account had been logged in from overseas for over a week, and the personal data related to the account had been downloaded.

I wrote about my experience with a similar Google AI scam. It’s elaborate and super realistic:https://t.co/pEdMhpjZ5y https://t.co/VvwEtZ684K

— Sam Mitrovic (@SamMitrovic) October 11, 2024

This was followed by an email on his request, notifying him of the same issue but in text format. The email came from a Google domain, which could fool almost anyone. When Mitrovic received the call, he suspected it was a scam and started to dig deeper. With the help of online forums like Reddit, he confirmed it was indeed a spoofing attempt to take over his Gmail account.

A legitimate phone number identical to Google Workspace support, an email with a Google domain spoofed using a Salesforce CRM (which enables users to use any domain name as required), and a legitimate-sounding AI voice bot are more than enough to trick most users into believing the communication is from Google. Many users would readily hand over their Gmail credentials to criminals.

Google Pixel 6a with the latest version of Gmail app (Image credit: Vivek Umashankar/The Indian Express)

Until a few years ago, these scams required actual human resources to make the voice call—like the popular Jamtara cyber scams in India. However, with the advent of realistic-sounding AI voice models, it has become even simpler. Now, a troublemaker could easily initiate thousands of these attempts simultaneously.

This instance proves that hackers use a combination of tricks, including fake emails, phone numbers, and AI bots to fool legitimate users. For now, there isn’t a foolproof way to prevent this from happening. However, staying vigilant can help you keep your Gmail account safe and secure. In this day and age, our Gmail account is practically our digital identity, used for personal and professional purposes.

A few takeaways:

Google will rarely call you regarding your Gmail account: Unless your account is connected to a Google Business Profile, they will typically contact you via email first, using a Google domain-linked email ID.

If you have a business profile on Google and receive a suspicious call, cross-verify the number: Use platforms like Truecaller to see if others have flagged the number as “scam”.

Regularly check your Gmail activity: If you suspect unauthorised access, click on your profile picture > Manage your Google account > Data & Privacy > My Activity to review account activity.

In this era where data is the new gold, hackers will develop sophisticated methods to spoof users and gain access to digital accounts to steal private data. The only way to stay safe from these attempts is to be vigilant.

It’s also advisable to change the passwords of your digital accounts regularly and enable two-factor authentication methods like OTP, passkeys, or authenticator apps like Microsoft Authenticator. This makes it more difficult for hackers to access your accounts, even if they manage to crack your password.