Google Spear-Phishing Attack

As I tossed some garbage into a dumpster, my phone began to ring. Tired and sweaty, I swiped to answer the unknown number. A robotic voice on the other end said:

“Hello name, this is Google automated security. We have noticed some unusual recent activity on your Google account. There was an attempted login from Salt Lake City, Utah. Press 1 if this wasn’t you.”

Normally, I avoid unknown numbers, but my low focus got the best of me. I suspected it was a scam, but wanted to see how it would unfold. Does my computer need to be scanned for viruses?

After pressing 1, the call ended abruptly.

I finished my dirty deed at the dumpster — and began to drive home — picturing a tall glass of chocolate milk. My thoughts were rudely interrupted by another phone call, nearly drowned out by the hum of my old truck.

Curious, I answered and was greeted by a man with a typical American accent:

Andrew: “Hello, this is Andrew from Google security calling for [my actual full legal name]”

Alex: “OK”

Andrew: “We noticed some unusual activity on your account for gmail address conceptofaplan@gmail.com, did you attempt to change your phone number?”

Alex: “No”

Andrew: “Ok, I’m going to send a confirmation to your phone for you to verify that the activity wasn’t you. So that we can recover your account. This notification will come from your phone’s Google app. Your confirmation code is 83.”

Alex: “Can I confirm that you’re calling from Google? Is there a number I can call directly?”

Andrew: *hangs up*

Fortunately, I didn’t acquiesce to Andrew’s assertions. This attack involved two spoofed numbers, a robotic voice, and at least one real American man. With advances in AI, Andrew could have been a convincing automated voice.

I’m sharing this experience to help others recognize similar scams.

Will legislators, regulators, or phone companies take action against the rampant spam, scam, and phishing calls and texts?

It should be straightforward to implement an optional whitelist feature on all phones and impose hefty fines on companies and political organizations caught spamming numbers on the .gov do-not-call-list (sign up, it helps).

The FCC could address issues like phone number provisioning, develop an anti-spoof Caller ID system, and impose repercussions for telecoms that facilitate spam.

Be safe out there. Here are some general recommendations to improve your security posture:

1. Use a password manager to store and generate complex passwords.
2. Keep your devices updated to mitigate security vulnerabilities
3. Enable MFA (multi-factor authentication) whenever possible.
4. Avoid “security questions” based on publicly identifiable information. “Where did you go to high school?” can be googled. Instead, use unique passwords for each security question.
5. Consider enrolling in advanced protection for Google accounts.
6. Maintain segregated email accounts: one for store website signups and another for personal emails and banking.
7. Use throwaway email accounts for non-important signups (e.g., Temp Mail).
8. Secure your home WiFi with a strong password. WP2, WPA2/3, or WPA3 are effective options when configuring home routers.
9. Be cautious with public WiFi; phone tethering is a safer alternative.
10. Avoid using public phone/tablet/laptop chargers and USB outlets; they pose risks like Juice jacking.
11. Do not log into Gmail accounts on public computers, like those in libraries or hotels.
12. Be wary of USB drives from friends — they could be unintentionally infected with viruses.
13. Minimize unnecessary browser extensions, applications, and phone apps as they can be vectors for exploits. Adjust app permissions where possible. The calculator app does not need access to photos.
14. Be cautious with email attachments, especially from unknown sources. Messages like “Your FedEx package is available, click this attachment” are often attacks.
15. Verify communications from trusted contacts, as their email address, phone number, or text messages could be spoofed or their devices compromised. Instead of your mom, you may be speaking to a T1000 mimic. For tasks such as transferring money, granting account access, or downloading files, verify that you’re communicating with the actual person you know.