Over 2.5 Billion Gmail Users Are At Risk From AI-Driven Phishing Scams

A new security alert has been issued for Gmail users following the emergence of AI-driven phishing scams that are becoming increasingly sophisticated. According to Frobes, which reported the development today more than 2.5 billion Gmail users are at risk, making the platform a prime target for cybercriminals.

The latest AI-powered phishing attempts have reached a new level of realism, tricking even experienced users. One notable case involves Sam Mitrovic, a Microsoft solutions consultant, who shared his near-miss experience after being targeted by a convincing scam call, as reported by Forbes.

Mitrovic first received a notification about a Gmail account recovery attempt, a common phishing technique, which he ignored. However, a week later, he received another recovery notification followed by a phone call from someone pretending to be from Google support.

The scammer claimed that his Gmail account had been compromised, creating a sense of urgency and fear, as noted by Forbes. Mitrovic initially thought the call was legitimate, as the scammer used convincing details, including references to suspicious login attempts and even providing a phone number that appeared to belong to Google.

He knew that even if the number appeared legitimate, such as showing up on an official Google page, it could still be spoofed. Shortly after, he received an email that, at first glance, looked authentic, coming from a Google domain.

However, he realized that spoofing an email address is also possible. Upon closer inspection, the “To” field revealed an email address cleverly disguised as GoogleMail@InternalCaseTracking.com, a non-Google domain.

By connecting the clues, along with the unnatural pauses and overly precise pronunciation, he realized it was an AI-generated call. Mitrovic ultimately avoided falling victim but warned that these types of AI-generated attacks could easily deceive less tech-savvy users, as reported by Forbes.

Another incident tha Forbes mentioned was reported by Garry Tan, the founder of Y Combinator. Tan recounted a similarly elaborate phishing scam involving a fake Google support call, in which the attacker claimed that a family member had provided a death certificate to recover his account.

The scam was designed to manipulate Tan into approving a fraudulent account recovery. Fortunately, he recognized inconsistencies in the process and avoided being scammed.

Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified)

DO NOT CLICK YES ON THIS DIALOG— You will be phished

They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8

— Garry Tan (@garrytan) October 10, 2024

These AI-driven phishing scams not only exploit sophisticated technology but also manipulate legitimate tools such as Google Forms to create convincing support documents, notes Forbes. By using genuine Google servers, the attackers make their communications appear trustworthy, further complicating the detection of these fraudulent activities, warned Forbes.

In response to the growing threat, Google has launched the Global Signal Exchange in collaboration with the Global Anti-Scam Alliance and the DNS Research Federation. This new initiative aims to share real-time intelligence on cybercrime, enabling faster detection and disruption of scams.

To protect themselves, Gmail users are advised to enable Google’s Advanced Protection Program, which now includes passkey support, providing additional security measures for high-risk accounts such as those of journalists and activists.