Scammers are employing increasingly sophisticated methods to impersonate Google support, leading victims to unknowingly compromise their online security. This alarming trend has come to light through the accounts of multiple victims, including software engineer Zach Latta, founder of Hack Club, who detailed his chilling experience with phone calls and emails crafted to look convincing.
Latta's encounter began when he received a call purportedly from Google, using the caller ID of 650-203-0000, which is associated with automated calls from Google Assistant. Despite the initial suspicion, Latta described the caller as sounding legitimate: “She sounded like a real engineer, the connection was super clear, and she had an American accent.” The caller, who identified herself as Chloe, claimed Latta's Google account had been compromised, allegedly accessed from Frankfurt.
What followed was disconcerting. The scammers sent Latta an email from the official Google subdomain g.co, which he had no way of knowing was part of their scheme. The email was indistinguishable from legitimate correspondence and passed through several email authentication protocols like DKIM, SPF, and DMARC, which usually protect users from phishing attacks. “The thing that's crazy is if I followed the two ‘best practices’ of verifying the phone number and getting them to send me an email from a legit domain, I would have been compromised,” Latta later warned.
The scam also involved sending fraudulent LinkedIn accounts as supposed proof of the caller's legitimacy and attempting to get Latta to reset his account using instructions masked as security measures.
This latest incident sheds light on the growing tactics of cybercriminals who can pose as trusted entities. Garry Tan, founder of the venture capital firm Y Combinator, echoed similar concerns. Tan received alarming phishing attempts via email and phone as well. He issued what he called a “public service announcement” on social media, cautioning users about the elaborate ploys, saying, “They claim to be checking if you are alive and should disregard a death certificate filed claiming a family member is recovering your account.”
Such tactics are not isolated. Sam Mitrovic, a Microsoft solutions consultant, encountered what appeared to be the same phishing attempts months ago. He received notifications for Google account recovery attempts followed by phone calls posing as support, where the caller fabricated suspicious activity detected on his account. The key here was Mitrovic's decision to ignore the call at first, but when he did engage, he noticed inconsistencies. “It’s just too polished—it seemed like AI voice technology,” he noted, which is becoming increasingly commonplace among scammers.
Though every detail seemed well-coordinated, Mitrovic eventually spotted spoofing signs. He recalled, “The caller said ‘Hello,’ I ignored it then about 10 seconds later, then said ‘Hello’ again.”
These experiences highlight the urgency for individuals to be vigilant against such scams, especially as they grow more sophisticated. Experts recommend activating features like Google’s Advanced Protection, which incorporates passkeys and smart keys to safeguard accounts from unauthorized access—even if hackers possess user credentials. A Google spokesperson described Advanced Protection as taking “extra steps to verify your identity.”
It's clear: the digital world is fraught with dangers as scammers adapt their tactics. Latta, Tan, and Mitrovic's experiences serve as stark reminders to users everywhere to remain cautious, validate the identity of callers, and approach unsolicited emails with skepticism. With increasingly convincing methods, the line between genuine support and malicious actors is becoming difficult to discern. Protecting oneself is not just prudent; it's imperative.