A Microsoft employee has warned of a new “hyper-realistic” AI scam that could fool “even the most experienced users.” The scam, which involves fake calls and emails purporting to be from Google, is aimed at hijacking Gmail accounts.
With the advent of artificial intelligence, attackers are finding new ways to use the technology to their advantage. Microsoft solutions consultant Sam Mitrovic almost fell for the scam himself and explained how it all happened on his blog.
He recently received an SMS notification asking him to confirm an attempt to restore access to his Gmail account. The request came from the US, but he rejected it. However, 40 minutes later, a missed call with the ID “Google Sydney” was discovered. A week later, Mitrovic again received a notification that he was trying to regain access to his Gmail account. And again, 40 minutes later, I received a call, which this time I decided to accept. According to him, the caller spoke with an American accent, was extremely polite, and the caller’s number turned out to be Australian.
The interlocutor introduced himself and said that suspicious activity had been recorded on the account and asked if Mitrovic was on a trip? After a negative answer, I asked a couple more clarifying questions. During the conversation, a Microsoft employee decided to check the number using Google data. To his surprise, official Google documentation confirmed that some calls could indeed be coming from Australia, but the number appeared to be genuine. However, aware of the possible number spoofing, Mitrovic continued the investigation by asking the caller to send him an email.
He agreed. At the same time, while waiting on the line, keyboard sounds and noises characteristic of a call center were heard, which should not have raised doubts about the authenticity of the conversation. However, everything was revealed at the moment when the caller repeated “Hello” several times. Mitrovic realized he was talking to an AI because “the pronunciation and pauses were too perfect.”
He hung up and tried to call the number back, but heard an automated message: “This is Google Maps, we cannot take your call.” Next, he checked the login activity on his Gmail account (you can do this by clicking on your profile photo in the top right corner, selecting “Manage Google Account,” then going to the “Security” section and checking “Recent Security Activity”). All logins, fortunately, turned out to be his own.
Next, Mitrovic examined the headers of the received email and discovered that the scammer had spoofed the sender’s address using the Salesforce CRM system, which allows users to set any address and send emails through Google’s Gmail servers. The bottom line is that AI and fake Email scammers can be so convincing in their actions that even experienced users can be tricked. Given the technological realities of today, the only defense is vigilance.