• by Ray Schultz , Columnist, October 14, 2024

Gmail users are being targeted in a worldwide scam that could lead to millions of accounts being taken over.  

Sam Mitrovic was one potential victim, but he was the wrong person to try this with. He is an expert on Microsoft Security products. 

He laid out the sophisticated threat in a recent blog post. 

First, Mitrovic received a notification to approve a Gmail account recovery attempt, he writes. Someone had access to his account. 

He ended up on a call that apparently came from Australia. He notes the following (and we quote):

The caller seemed legit (courteous, professional, super realistic American AI voice). 

The phone number seemed legit.

The email seemed legit.

All well and good, right? But Mitrovic noticed these signs that this was an attempted account takeover:

• I received account recovery notifications which I didn’t initiate. 
• Google doesn’t call Gmail users if you don’t have Google Business Profile connected. 
• The email contained a To email address not connected to a Google domain.
• There were no other active sessions on my Google account apart from my own.
• Email headers showed how the email was spoofed.

Attention, legitimate email marketers: This is what you're competing against. 

Mitrovic concludes that he would give the scammers "an A for their effort. Many people are likely to fall for it."

How would you avoid it? There's only one way: At the individual level, "the best tool is still vigilance," he writes. Mitrovic concludes that he would give the scammers “an A for their effort. Many people are likely to fall for it.”

How would you avoid it? There's only one way: At the individual level, “the best tool is still vigilance,” he writes.