Watch out for this Gmail scam that could easily fool you

A scam targeting Gmail account holders has been making the rounds and you could easily get caught up in this ripoff. Microsoft Solutions Consultant Sam Mitrovic could have been a victim as he explained in a blog post detailing what happened to him. He received a notification asking him to approve a Gmail account recovery attempt that he did not initiate. 40 minutes after denying the request, Sam missed a call from Google Sydney.

A week later, at around the same time of the day, Mitrovic once again received a notification asking him to approve a Gmail account recovery attempt which he once again refused to approve. And once again, after 40 minutes he received a phone call. This time, he picked it up and found himself talking to an American even though the call originated from Australia.

The man on the other end of the call says that there is suspicious activity on his account. He asks Sam whether he is traveling or if he logged in from Germany. When he responds "No" to both questions (which are designed to scare the victim into thinking that his account has been compromised), Mitrovic is told that someone has had access to his account for a week and downloaded the account data. 

While on the phone call, Mitrovic Googled the phone number that the call came in from and it showed up as a legit number for Google in Australia. Still, knowing that scammers can make a call appear as though it is coming from a particular number, he has a request for the guy on the phone.

Mitrovic asked for an email to be sent to him to authenticate the validity of the call. While the gentleman agrees, Sam can hear on his phone the sound of someone typing on a keyboard and the general ambiance of a call center. When the email arrives, it looks legit except that one of the addresses in the "to" field, GoogleMail at InternalCaseTracking dot com, is a non-Google domain. And then it hit Mitrovic that the voice on the other end of the call was AI-generated. Not wanting to be a victim, Mitrovic hung up.

He later found that the sender email address was faked. The scammers were able to do this by using Salesforce CRM. The latter allows a user to set the sender address to any address that the user wants and have it sent via Gmail/Google servers.

On Reddit, a subscriber revealed that he was the recipient of the same exact scam which he also didn't fall for. However, not everyone was smart enough to reject the call. While doing a reverse phone number search, Sam came across a post from a victim who thought the call was from Google. And frankly, the scam was so sophisticated that no one could be blamed for falling for it.

So what might have happened had Mitrovic approved the account recovery notification is scary to think about. Had that happened, he would have lost control of his account to scammers. There were various times during this scam when a layperson probably would have given the authorization to the scammers allowing them to take over their account.

Do not agree to approve any Gmail account recovery attempt. This is a phishing attack that ultimately sends you to a fake login page where you are asked to type your legitimate credentials to report that the account recovery request you received was not sent at your request. If you're not sure if the correspondence you receive from any company is real or not, it is always best to err on the side of caution. Get a legitimate phone number for the company from Google Search, make the call and have the company confirm that they sent you a notification or an email.