Security experts are warning that AI-driven phishing attempts and scams targeting Gmail accounts are getting harder to detect and much more sophisticated.
The attempts can include fake notifications from real Google addresses, convincing phone calls from AI or human agents that appear to come from legitimate Google phone numbers and links pointing to Google pages that serve to make the scam seem legitimate.
In September, Microsoft products security expert Sam Mitrovic posted about such a scam that targeted him personally. Y Combinator CEO Garry Tan posted a similar warning last week on X about a similar phishing attempt he encountered.
Cybersecurity writer Davey Winder rounded up these warnings on Forbes, as well as information about how scammers are using Google Forms as another method of fooling people with Google accounts.
In an email to CNET, a spokesperson for Google pointed to a blog post that offers advice on how to avoid email scams, phone and text scams, and scams that can occur during web browsing.
Google recently helped begin efforts on a Global Signal Exchange with the Global Anti-Scam Alliance and DNS Research Federation to create a database of scam and fraud attempts. The Exchange includes executives from Amazon, Meta, Mastercard and Trend Micro and will initially focus on URLs, IP addresses and reports of scams and phishing attacks. It’s set to launch officially on January 1, 2025.
According to Winder, two ways Gmail users can help protect themselves are to familiarize themselves with Google’s policies and advice on phishing (including what to do if you’re a victim and locked out of your account). Users who are more likely to be targeted, including politicians and journalists, should look into Google’s Advanced Protection Program, which can include the use of a hardware security key (basically a device such as a secure USB drive for logins). Google recently added Passkey support to the program.