A "super realistic" AI-generated scam call almost cost a Microsoft consultant and potentially 2.5 billion others access to Gmail: "I would give them an A for effort"

What you need to know

• Microsoft solutions consultant Sam Mitrovic recently published a blog post highlighting how he almost lost access to his Gmail account to hackers using a super realistic AI scam.
• The hackers purported to be part of Google's Support team (with discretely disguised phone number and email address) to lure the consultant into sharing intricate and confidential details about his Gmail account.
• While the phone number was featured on Google's Business Page, the consultant discovered that the email address used to contact him was under a non-Google domain.

Over the past few years, the emergence of generative AI and its broad adoption across sectors, including medicine, computing, and education, has promoted effectiveness and efficiency. However, hackers are also seemingly hopping onto the AI train and using the tech's sophisticated capabilities to lure unsuspecting users into their well-crafted attacks.

In a blog post by Microsoft solutions consultant Sam Mitrovic, hackers are leveraging a sophisticated attack, which the consultant calls a "super realistic AI scam call," to trick Gmail users. Perhaps more interestingly, the consultant claims that the ploy is "super realistic" and that even the most experienced users could fall victim to the ploy unsuspectingly. 

Over 2.5 billion people leveraging Google's Gmail service could be placed in a compromising position, potentially allowing bad actors to access confidential information they could use to cause harm or sell on the dark web.

Mitrovic discovered the sophisticated ploy when a notification popped up on his device, asking him to approve a Gmail account recovery attempt. Hackers are notorious for using this old trick to lure unsuspecting users to their traps. Luckily, Mitrovic declined the request and went about his business. Later, he received a notification indicating he'd missed a call from Google Sydney.

Things got interesting when he relived the same experience a week later. However, Mitrovic picked up the call, which purported to be from Google Sydney. Upon receiving the call, the consultant was notified that he was speaking to Google's Support team. He further indicated that the team had flagged suspicious activity on his account and coincidentally tracked it back to the week before. The representative claimed the hackers accessed Mitrovic's account and downloaded data. 

At this point, the Microsoft consultant's suspicion was at an all-time high, prompting him to cross-check the caller's ID on Google. While he established that the phone number was legitimately from Google's business page, Mitrovic still held onto his suspicions. As you may know, attackers use sophisticated ploys to mask their true identity.

Mitrovic requested the representative to email him, which would help him determine their identity. While the email almost fooled the Microsoft consultant, one of the addresses in the "to" field sold them out as it was discretely disguised under a non-Google domain. 

As he concluded the blog post, Mitrovic indicated that the main giveaway of the scam was when he received the call:

"The caller said Hello, I ignored it then about 10 seconds later, then said Hello again. At this point, I released it as an AI voice as the pronunciation and spacing were too perfect."

According to Mitrovic:

"The scams are getting increasingly sophisticated, more convincing and are deployed at ever larger scale. People are busy and this scam sounded and looked legitimate enough that I would give them an A for their effort. Many people are likely to fall for it. There are many tools to fight the scammers, however, at an individual level the best tool is still vigilance, doing the basic checks as above or seeking assistance from someone you trust."

Mitrovic says he dropped the call immediately after discovering he was speaking to bad actors who could potentially solicit his login credentials and compromise his Gmail account.

🎃The best early Black Friday deals🦃

• 💻Surface Pro 11 (X Elite, device only) | $1,199.99 at Best Buy (Save $500!)
• 📺LG Curved OLED Monitor (32-inches) | $899.99 at Amazon (Save $600!)
• 🎮Amazon Fire TV Xbox Game Pass bundle | $74.99 at Amazon (Save $62!)
• 🔊2.1ch Soundbar for TVs & Monitors | $44.99 at Walmart (Save $55!)
• 💻Dell G16 Gaming Laptop (RTX 4070) | $1,299.99 at Dell (Save $450!)
• 🎧Sennheiser Momentum 4 ANC | $249.95 at Amazon (Save $150!)
• 📺LG C4 OLED 4K TV (42-inches) | $949.99 at Best Buy (Save $450!)
• 💻Samsung Galaxy Book4 Edge (X Elite) | $799.99 at Best Buy (Save $550!)

Microsoft is doubling down on security as hackers embrace AI

Google recently announced its partnership with the Global Anti-Scam Alliance (GASA) and DNS Research Federation (DNS RF) to fight sophisticated attacks. Through the new Global Signal Exchange program, users can get real-time information regarding sophisticated online scams and fraud techniques being leveraged by attackers, potentially placing them out of harm's way. 

Microsoft has also suffered a cascade of security failures. However, during the company's earnings report for FY24 Q3, the CEO Satya Nadella indicated, "We are doubling down on this very important work, putting security above all else, before all other features and investments."

Part of the company's efforts toward bolstering better security across its tech stack include holding top Microsoft executives accountable for cybersecurity by tying a section of their compensation packages to meeting the set security thresholds. It also promises to expedite its response time when security issues are raised, prompting remediation.