Tuesday, October 29, 2024

Gmail users beware: there's a new scam out there

 

I daresay most of my readers use Gmail (as do I).  It seems fraudsters are trying a new scam against us.


Garry Tan, chief executive of prominent tech-oriented venture capital firm Ycombinator, wrote on X late last week that there is a “pretty elaborate” phishing scam that uses an AI-generated voice.

The scammers “[claim] to be Google Support (caller ID matches, but is not verified),” he wrote in an Oct. 10 post that he termed a “public service announcement.”

“They claim to be checking that you are alive and that they should disregard a death certificate filed that claims a family member is recovering your account. It’s a pretty elaborate ploy to get you to allow password recovery.”

IT consultant Sam Mitrovic, in a blog post last month, wrote of a similar scam attempt targeting Gmail accounts and also using an AI-generated voice.

“The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale,” Mitrovic wrote in the post. “People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it.”

. . .

Mitrovic noted that telltale signs of a scam include that one, he received account recovery messages that he did not initiate; two, it was a phone call, as Google does not call users unless they have a Google Business Profile; and three, the email he received had an address “not connected to a Google domain.” Additionally, the email header showed “how the email was spoofed,” and a “reverse number search showed others who received the same scam call,” he said.


There's more at the link, with added details of how the scammers attempted to gain their victims' confidence.

As always, it's up to the customers (us) to be aware of potential pitfalls, and to assume that any unknown or unexpected approach like this is more likely than not to be fraudulent.  I no longer bother answering any incoming telephone call if it isn't from a name in my address book.  If it's genuine, the caller will leave a voice message, and I can call them back.  Even fraudsters try that (how many messages have you had from callers telling you that there's a problem with your "Google business directory account", and offering to fix it for you?).

There are an awful lot of crooks out there, and the Internet has made it fast, cheap and easy for them to try to con us.  Our first and most important line of defense is our own awareness of that reality.

Peter


6 comments:

  1. Anything like this that I get that might be correct (I actually use the company being spoofed), I contact the company directly rather than responding to an email.
    Always, these have been frauds.
    I have also come to hate voicemails, as my scammers have found a way to leave voicemails without ever ringing my phone.
    John in Indy

    ReplyDelete
  2. I avoid a lot of this kind of thing by sticking to my land line for most calls and leaving the cell turned off unless I am making a call. A tactic I use is to not answer with "hello" or "yes", but "what can I do for you?" Some of the automatic dialers will not recognize that response and will wait for an answer they do recognize and will hang up if they don't get one.

    ReplyDelete
  3. "I no longer bother answering any incoming telephone call if it isn't from a name in my address book."

    Yup, that's my strategy too. If I don't know the number, I don't answer. If you call and don't leave a message, I guess it wasn't that important to begin with was it?

    ReplyDelete
  4. I answer the phone with "Who is calling, please?" then wait with a muted mic. Half the time they drop the call. If I do get a voice who asks for someone I repeat the question. I have the time so I waste theirs.

    ReplyDelete
  5. I once got a snail mail letter from 'Cigna Insurance' claiming that my mother had taken out a $10K life insurance policy with me as a beneficiary. Not only was that - unusual - for Mom to do, but

    They had her first name spelled incorrectly.*
    They had her Birthday wrong.
    They didn't know her date of passing.+
    The number on the note didn't match anything on the website.
    Of course, they wanted my SSN & account information.
    It was signed 'Cindi'.

    I figured it was Spam and tossed it. A month later, there was a follow-up letter, so I tried a number from Cigna's website using 'Cindi's) extension. By Golly, it was legit, and VERY timely.

    *Mom worked for Cigna for nearly 20 years
    +They wanted a copy of her death certificate

    ReplyDelete
  6. I use a smaller ISP for my email; they used to do dialup internet, but shifted to email only a few years back. Support is minimal, but for $5.00 a month, it's Good Enough.

    About a year ago (after I joined a Google-groups with that email) I started to get emails purporting to be from the ISP. They generally listed some potential disaster that needed me to log into a google-hosted website. Never went that far, and when I looked at the headers, it was pretty clear that it was bogus. (Reading the headers has been the most useful. The ISP support people don't deal with this; one downside, but again, the service is decent for the price.)

    There've been a couple of newer emails purporting to be from a cybersecurity outfit; same header issues and same mechanisms. Activity has been down. Either they're working on campaign emails or they're the ones targeting gmail.

    ReplyDelete

ALL COMMENTS ARE MODERATED. THEY WILL APPEAR AFTER OWNER APPROVAL, WHICH MAY BE DELAYED.