Google has implemented increasingly sophisticated protections against those who would compromise your Gmail account—but hackers using AI-driven attacks are also evolving. According to Google’s own figures, there are currently more than 2.5 billion users of the Gmail service. No wonder, then, that it is such a target for hackers and scammers. Here’s what you need to know.

The Latest AI-Driven Gmail Attack Is Scary Good

Sam Mitrovic, a Microsoft solutions consultant, has issued a warning after almost falling victim to what is described as a “super realistic AI scam call” capable of tricking even the most experienced of users.

It all started a week before Mitrovic realized the sophistication of the attack that was targeting him. “I received a notification to approve a Gmail account recovery attempt,” Mitrovic recounts in a blog post warning other Gmail users of the threat in question. The need to confirm an account recovery, or a password reset, is a notorious phishing attack methodology intended to drive the user to a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Unsurprisingly, then, Mitrovic wasn’t falling for this and ignored the notification that appeared to originate from the U.S. and a missed phone call, pertaining to be from Google in Sydney, Australia, some 40 minutes later. So far, so relatively straightforward and easy to avoid. Then, almost exactly a week later, the fun started in earnest—another notification request for account recovery approval followed by a telephone call 40 minutes later. This time, Mitrovic didn’t miss the call and instead picked up: an American voice, claiming to be from Google support, confirmed that there was suspicious activity on the Gmail account.

“He asks if I’m traveling,” Mitrovic said, “when I said no, he asks if I logged in from Germany, to which I reply no.” All of this to engender trust in the caller and fear in the recipient. This is when things turned dark fast and really rather clever in the overall scheme of phishing things. The so-called Google support person informed Mitrovic that an attacker had accessed his Gmail account for the past 7 days, and had already downloaded account data. This rang alarm bells as Mitrovic recalled the recovery notification and missed call from a week earlier.

Googling the phone number he was being called from while speaking, Mitrovic discovered that it did, indeed, lead to Google business pages. This alone is a clever tactic likely to fool plenty of unsuspecting users caught up in the panic of the moment, as it wasn’t a Google support number but rather about getting calls from Google Assistant. “At the start of the call, you'll hear the reason for the call and that the call is from Google. You can expect the call to come from an automated system or, in some cases, a manual operator,” the 100% genuine page helpfully informs the reader.

Forbes