A scam aimed at Gmail users has been circulating, and it’s all too easy to fall victim to this deceit.
Microsoft Solutions Consultant Sam Mitrovic recounted his experience in a blog post, explaining how he nearly became a victim.
He received a notification requesting approval for a Gmail account recovery attempt that he still needed to initiate. Forty minutes after declining the request, he missed a call from Google in Sydney.
This intricate scam poses a real risk of losing access to your Gmail account and potentially much more.
A week later, around the same time, Mitrovic received another notification asking him to approve another Gmail account recovery attempt, which he again refused.
After forty minutes, he received a phone call again. This time, he answered and spoke with an American despite the call from Australia.
The caller informed him of suspicious activity on his account and asked if he was travelling or had logged in from Germany.
When Sam replied “No” to both questions—designed to instil fear regarding the security of his account—he was told that someone had accessed his account for a week and had downloaded its data.
While still on the call, Mitrovic Googled the number from which the call was made, and it appeared to be a legitimate Google number in Australia.
However, aware that scammers can manipulate caller ID to appear as a trusted source, he asked the caller to email him to verify the call’s legitimacy.
The caller agreed, but Sam could hear the sound of typing on a keyboard and the typical background noise of a call centre.
When the email arrived, it seemed genuine, except for one address in the “To” field: GoogleMail@InternalCaseTracking.com, which is not a legitimate Google domain.
While searching for the phone number, Sam stumbled upon a post from another victim who believed the call was genuine. The sophistication of the scam made it easy to see how someone could be misled.
It isn’t very comforting to consider what might have occurred had Mitrovic granted permission for the account recovery. Had he done so, he would have lost control of his account to the scammers.
During this scam, there were several moments when an average person might have unwittingly granted access to the fraudsters, allowing them to take over their account.
Do not approve any Gmail account recovery attempts without verification.
This phishing attack is designed to direct you to a fraudulent login page, where you are prompted to enter your legitimate credentials to confirm that you did not initiate the recovery request.