​​Gmail is used by nearly 2.5 billion users worldwide, making it a frequent target for scammers. If you use Gmail, you’ve probably encountered phishing emails impersonating popular companies like Microsoft, Google, Apple and others. These scams are often easy to spot due to suspicious email addresses and other red flags like poor grammar or urgent requests for personal information.

However, a new AI-powered scam is making the rounds, and it’s much harder to detect unless you’re very cautious. Wondering how this scam works and how to protect yourself? I’ve got you covered. In this article, I’ll share a real-life example and provide practical tips to safeguard your information.

GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE

How does this scam work?

Sam Mitrovic, a Microsoft solutions consultant, shared his experience of being targeted by an elaborate scam that preyed on Gmail users. He recounted how it all started with a seemingly innocent notification:

“Recently, I received a notification to approve a Gmail account recovery attempt. The request originated from the United States. I denied the request and, about 40 minutes later, received a missed call. The missed call showed the caller ID as Google Sydney.”

Sam shrugged off the missed call, but the pattern repeated exactly one week later. He received another Gmail account recovery notification from the U.S. followed again by a call. This time, he answered.

“It’s an American voice, very polite and professional. The number is Australian. He introduces himself and says that there is suspicious activity on my account. He asks if I’m travelling (sic). When I said no, he asks if I logged in from Germany to which I reply no. He says that someone has had access to my account for a week and that they have downloaded the account data. (I then get a flashback of the recovery notification a week before).”

Sam quickly Googled the phone number, and it appeared in Google’s official documentation. Still skeptical, he asked the caller to send an email for verification. When the email arrived, the sender seemed legitimate at first glance, coming from a Google domain. However, Sam noticed a red flag: The “To field” contained an email address named GoogleMail at InternalCaseTracking dot com. This address doesn’t belong to Google.

Upon doing research, Sam discovered that the person on the other end wasn’t human but AI. This approach is part of a well-known phishing methodology aimed at confirming account recovery or password resets. But when combined with AI calls and email spoofing, this scam becomes particularly dangerous.

Scammers can target Gmail’s account recovery notifications. (Kurt “CyberGuy” Knutsson)

WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI

How are scammers spoofing Google’s email address?

Mitrovic pointed out that scammers spoofed the sender’s email address to make it appear as if it were from Google. They utilized Salesforce CRM, a platform that enables users to customize the sender information to anything they choose while sending emails through Gmail and Google servers.

CyberGuy reached out to Google for a comment but did not receive a response by the time of publication.

BEST ANTIVIRUS FOR MAC, PC, IPHONES AND ANDROIDS – CYBERGUY PICKS

Scammers can spoof Google’s email address. (Kurt “CyberGuy” Knutsson)

CYBERSCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS

5 ways to protect yourself from Gmail AI scam

1) Understanding Google’s automated support system: Google has billions of users, so contacting them regarding any issue requires significant resources. Everything is automated, and Google doesn’t call Gmail users unless they have a connected Google Business Profile.

2) Inspect email addresses carefully: Always check the email address carefully. In this case, the email included a recipient address that was not associated with a Google domain. Additionally, there were no other active sessions on the victim’s Google account besides his own.

3) Be cautious with links and attachments: Avoid clicking on links or downloading attachments from unknown or suspicious emails. Instead, navigate directly to the website by typing the URL into your browser.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

4) Enable two-factor authentication (2FA): Use 2FA on your accounts to add an extra layer of security. This requires a second form of verification, such as a text message or authentication app, making it harder for scammers to gain access even if they have your password.

5) Regularly monitor your accounts: Keep a close eye on your accounts for any unusual activity. Set up notifications for login attempts and changes to your account information. Early detection can prevent further damage.

DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP

Kurt’s key takeaway

While AI has some useful applications, it is more actively exploited by scammers to make their schemes more believable. The Gmail AI scam demonstrates how AI can make scams harder to detect, and anyone who isn’t careful may fall victim to these scams. Google should work on improving scam filters to ensure that these impersonation scams do not reach people’s mailboxes. You can also do your part by being cautious and avoiding unknown links.

How confident are you in your ability to identify a scam? What resources do you use to educate yourself about online security? Let us know by writing us at Cyberguy.com/Contact.