Gmail users are being targeted in a worldwide scam that
could lead to millions of accounts being taken over.
Sam Mitrovic was one potential victim, but he was the wrong person to try this with. He is an expert on Microsoft Security
products.
He laid out the sophisticated threat in a recent blog post.
First, Mitrovic received a notification to approve a Gmail account recovery attempt, he writes. Someone had access to his account.
He ended up on a call that apparently came from
Australia. He notes the following (and we quote):
The caller seemed legit (courteous, professional, super realistic American AI voice).
The phone number seemed legit.
The
email seemed legit.
advertisement
advertisement
All well and good, right? But Mitrovic noticed these signs that this was an attempted account takeover:
- I received account recovery notifications which
I didn’t initiate.
- Google doesn’t call Gmail users if you don’t have Google Business Profile connected.
- The
email contained a To email address not connected to a Google domain.
- There were no other active sessions on my Google account apart from my
own.
- Email headers showed how the email was spoofed.
Attention, legitimate email marketers: This is what you're competing against.
Mitrovic
concludes that he would give the scammers "an A for their effort. Many people are likely to fall for it."
How would you avoid it? There's only one way: At the individual level, "the best tool
is still vigilance," he writes. Mitrovic concludes that he would give the scammers “an A for their effort. Many people are likely to fall for it.”
How would you avoid it? There's
only one way: At the individual level, “the best tool is still vigilance,” he writes.