A security expert has recounted how close he came to being fooled by a new AI-based scam call that aimed to get his Gmail account details.
There were already scam ChatGPT apps on the App Store, but now artificial intelligence has been deployed by scammers in what expert Sam Mitrovic describes as "super realistic."
"People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort," wrote Mitrovic in a blog post. "Many people are likely to fall for it."
"Despite many red flags upon closer inspection, this call seemed legitimate enough to trick many people," he continued. "My guess is that their conversion rate from calls answered would be relatively high."
For Mitrovic, it began with a notification to approve a Gmail account recovery attempt. Mitrovic ignored both that and a missed call apparently from Google Sydney.
A week later, the same notification appeared and 40 minutes later, he got a call that he did answer. The seven-day gap was significant, because the caller told him that there had been suspicious activity on his account for a week.
While this polite, professional, American male voice asks if Mitrovic could have been accessing his account from overseas, the security expert is Googling the phone number the call is coming from. It's a legitimate Google number, although Mitrovic notes that numbers can be spoofed.
In this case, however, the Google number was for calls specifically regarding Google Assistant, not the Gmail account he was being asked about. So Mitrovic asks the caller to send him an email.
"He politely says he will do so and to give him a moment," continues Mitrovic. "In the background, I can hear someone typing... After a few moments, the email arrives and at first glance the email looks legit."
It isn't, though. As Mitrovic is noticing that the address is not from a Google domain, the caller said "Hello."
"I ignored it... then about 10 seconds later, [the voice] said 'Hello' again," says Mitrovic, and that's when the security expert hung up. "At this point [I realised it was] an AI voice as the pronunciation and spacing were too perfect."
"The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale," cautions Mitrovic.
To avoid being taken in, he notes that there were several clues, starting with how he received account recovery notifications that it hadn't initiated. He also notes that Google does not phone Gmail users unless you have a Google Business Profile too.
The spoofing of a phone number and an email address is scary enough, but that the entire call was an AI voice is sobering. Ironically, it may mean that scammers employ fewer people in future, but it also means that hundreds or thousands of such calls could be being made simultaneously
Other than the AI aspect, though, phone spoofing and phishing calls are not new. Previously scammers have pretended to be from Apple Support, for instance.
17 Comments
Simple, don't answer your phone if you don't know the number. Let it go to voicemail giving you time to figure out if it's real. It wouldn't hurt if the cellular provider was able to capture suspicious phone calls sending them to the DOJ.
The Hellscape