New AI Scam Targets Gmail Users with Fake Account Recovery Requests

A new and highly deceptive scam is making waves, targeting Gmail users and attempting to steal personal data through fake account recovery requests. The scam uses AI to deceive users into giving scammers access to their Gmail accounts. IT consultant and tech blogger Sam Mitrovic recently shared his experience with this scam, shedding light on the manipulative tactics involved and how easily users could fall prey to it.

How the Scam Operates

The scam begins with an unexpected notification, either via email or on your phone, asking you to approve a Gmail account recovery request that you never initiated. The request may seem urgent and, in many cases, originates from a different country. In Mitrovic's case, the scam notification came from the United States, even though he resides elsewhere.

If you decline the recovery request, as Mitrovic did, the scammers quickly follow up. About 40 minutes later, they attempt a second approach—a phone call that appears to come from an official Google number. The call itself is designed to be highly convincing, with a polite, professional-sounding voice (often American) claiming to represent Google.

The scammer generally informs the victim that suspicious activity has been detected on their Gmail account. They may ask if you've logged in from another country, making you feel more vulnerable and likely to believe their side narrative. The caller ID displayed may also look as if it’s from a legitimate Google office, adding to the scam's authenticity.

Once the scammer gains the victim's trust, they claim that someone has accessed sensitive information from their Gmail account. The fraudster then sends a spoofed email that looks like it’s from Google, asking you to approve the earlier account recovery request. If you approve this request, the scammers can take full control of your Gmail account, potentially accessing your personal and sensitive data.

How to Safeguard Yourself from these Scams

These tips for Gmail users will help protect themselves from this and similar scam.

1. Decline recovery requests you didn’t initiate: The first sign of a scam is receiving an account recovery request without having tried to recover your account. If you receive such a request, do not approve it under any circumstances.

2. Verify suspicious phone calls: Google rarely contacts users directly, especially regarding personal accounts. If you receive a phone call claiming to be from Google, do not engage. Instead, hang up and verify the phone number independently before taking any further action.

3. Check emails carefully: Scam emails often closely resemble legitimate ones from Google. Pay attention to small details, such as the sender’s email address or the “To” field. Spoofed emails can often be spotted if you take a close look.

4. Review security activity Regularly: Frequently check your Gmail account’s security settings and review recent login activity. This can help you spot any unfamiliar logins or suspicious behaviour. To do this, navigate to your Gmail account settings and click on the "Security" tab.

5. Verify email headers: If you are tech-savvy, you can examine the email headers to verify whether an email was sent from an official Google server. This method can help you detect whether an email is authentic or spoofed.