Over 2.5 million Gmail users have been alerted to a new and highly advanced phishing scam that uses artificial intelligence (AI) to steal sensitive data, including bank details and account credentials. The FBI have warned Gmail users that this ‘devastating scam’ is extremely difficult to spot due to their convincing nature, combining AI-powered, deepfake phone calls, fake emails and fake websites. By effectively mimicking legitimate communications from Google, these cybercriminals convince users their accounts have been compromised.
How the Scam Works
Scammers / hackers will often initiate their attack by calling their victims, using AI-generated voice creation tools, such as Elevenlabs.The hackers claim to be from Google Support and would inform victims of suspicious activity happening on their Gmail account, sometimes claiming that an attacker has already hacked the account and downloaded sensitive data.
Following these hyper-realistic phone calls, victims then get redirected to a legitimate-looking email, from what looks like to be from an official Google domain with instructions and a link on solutions to fix the hack. If users click on this link, they’re taken to what seems like a legitimate Google website where the victims are asked to enter their user credentials. The main goal of this tactic of the scam is to essentially obtain the victim’s Gmail recovery code and sometimes merely clicking on the link gives hackers access to their accounts, and all other services associated with it. The hackers now have the ability to commit identity, financial and information theft.
In some instances, the fake website may also attempt to steal session cookies from the victim’s browser. Session cookies are small data files that store login information, allowing users to remain logged into websites without having to re-enter their credentials each time they visit. If cybercriminals manage to steal these session cookies, they can bypass login credentials entirely and gain control of the victim’s account.
In addition to the Gmail threat, a new and sophisticated scam is targeting iPhone and Android users through caller ID spoofing, where fraudsters impersonate trusted organizations such as banks or law enforcement agencies to steal personal and financial information. Victims often receive calls that appear legitimate, with scammers creating a false sense of urgency by claiming issues like compromised bank accounts or legal troubles, pressuring individuals to act quickly without verifying the caller’s identity.
Experts Insight and warnings
Spencer Starkey, a vice-president at SonicWall, emphasizes that companies like Google must remain vigilant against evolving threats, as “Cybercriminals are constantly developing new tactics, techniques, and procedures to exploit vulnerabilities”. He advocates for a proactive cybersecurity approach, including regular assessments and incident response planning to deal with the ever evolving AI and cybercrime tactics. Victim Sam Mitrovic highlighted the increasing sophistication of these scams, noting that many people may fall for them due to their convincing nature.
Back in May 2024, a warning about the increased frequency of AI-bolstered cyber attacks was issued by the FBI. FBI Special Agent, Robert Tripp, warned at the time that AI-driven scams are becoming more cost-effective for criminals, with some tools starting as low as $5 to use. Robert Tripp also added “These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”
To protect your data and accounts from these AI-bolstered cyber attacks, experts suggest several security measures which include avoiding clicking on suspicious links or downloading unverified attachments; verify website authenticity by checking for “https” in the URL; use a password manager to autofill credentials only on legitimate sites; monitor accounts regularly for unusual activity; enable multi-factor authentication (MFA); and keep security software updated.
Read More: Words You Should Never Google, According to Those Who Have
What to Look Out For
To strengthen your online defenses and avoid being scammed, it’s crucial to adopt several precautionary measures. Start by carefully analyzing the email address and phone number for any unusual characteristics, such as odd numbers or strange formats, especially if it’s from an email address you don’t recognise.Examine logos closely, comparing them with those on the official company website to ensure they match; any fuzziness may indicate a fake. Be alert for grammatical or spelling errors in emails or messages, as these can signal a rushed or unprofessional attempt at deception.
Before clicking on any links, hover over them or copy the URL into a document to verify its legitimacy; ensure it matches the official website and does not contain suspicious additions, such as extra words between the domain name and “suspiciousname.com.” If you receive a follow-up email after replying to an initial message that mentions payment, it is likely a phishing scam. By following these guidelines, you can significantly reduce your risk of falling prey to online scams.
Cybercriminals will often create a sense of urgency, pressuring you to act immediately, usually accompanied by facetious threats of either account suspension or creating the fear of missing out within their victims. They may also claim that your account is at risk or that you need to take action to prevent a security breach. Do not succumb to this pressure; take your time to carefully evaluate the situation before taking any action.
How to Bolster Your Protection as a Gmail User
Start by using strong, unique passwords for each of your accounts, ensuring they contain a mix of letters, numbers, and symbols, and change them regularly. Enabling Multi-Factor Authentication (MFA) adds an extra layer of security, requiring verification beyond just your password. Keeping your software updated is crucial as updates often contain security patches that protect against vulnerabilities exploited by cybercriminals.
Be cautious with your online presence; limit the personal information you share on social media and adjust privacy settings to restrict access to your profiles. When using public Wi-Fi, avoid entering sensitive information as these networks can be easily compromised. Instead, consider using a Virtual Private Network (VPN) for added security.
Always carefully analyse emails and links before clicking; if something seems suspicious, you’ve never seen the email address before, it’s best to delete it rather than risk the potential of becoming a victim of cybercrime. Regularly monitor your accounts for unauthorized activity and utilize security tools like antivirus software and spam filters to protect against malware and phishing attempts.
Educating yourself about the latest cyber threats can further empower you to recognize potential scams. Finally, if you encounter suspicious activity or believe you have been a victim of cybercrime, report it to the appropriate authorities to help prevent further risks.
AI and the Future of Cybercrime
As AI technology continues to evolve, so too will the tactics of cybercriminals. The battle against phishing scams is an ongoing one, requiring constant vigilance and adaptation. By staying informed about the latest threats, implementing security measures, and exercising caution when interacting with online communications, you can protect your Gmail account and personal information from falling into the wrong hands.
Read More: Google Drops Pledge to Avoid AI for Weapons and Surveillance