- A new phishing scam has targeted a Google programmer
- The attack was worryingly convincing, and has made Google tighten defenses in response
- Not sure how to spot a phishing scam? Follow our tips
A new ultra-realistic phishing scam reported by a Google programmer could make a lot of us a little uneasy.
Zach Latta, warned in a recent blog post, “Someone just tried the most sophisticated phishing attack I’ve ever seen. I almost fell for it. My mind is a little blown.”
Starting with a phone call from the Caller ID ‘Google’, this phishing attempt was enough to convince a Google programmer into being one button press away from disaster – here’s what we know so far.
A convincing story
On the other side of Latta’s phone call, which is a genuine number associated with Google Assistant calls, was a ‘Google engineer’ called Chloe.
The connection was ‘super clear’, with Latta noting the scammer had an American accent, and claimed to be from Google Workspace – asking if he had recently attempted to log into his account from Frankfurt, Germany.
From there, the programmer asked if ‘Chloe’ could confirm this by emailing from an official Google email. Worryingly, the scammer obliged, and sent Latta an incredibly official looking email with a case number.
Not only was the email sent, but it was sent from the address ‘workspace-noreply@ google.com’, and related to his ‘password for important.g.co’ which the attacker claimed was an internal Google subnet. This is important, because even our own TechRadar phishing advice identifies this as a serious indication of risk.
But g.co is an official Google URL – which is confirmed by Google and even has its own Wikipedia page. Latta, being a tech worker, knew to verify the phone number, so Googled the number – and was encouraged to do so by the scammer, who advised him to quote his case number if he called. The number is listed on google.com pages, which was enough to placate Latta enough.
The scammer was encouraging Latta to carry out a ‘sessions reset’, on his device, which rang alarm bells for the programmer. The scam’s first stumbling block came when Latta checked his Google Workspace logs himself, and of course, didn’t find any suspicious activity.
When pressed, the scam began to unravel – with the attacker transferring to a manager who further encouraged Latta to log out from all devices and reset his password. Shockingly, the scammer was able to provide the genuine MFA code that was sent to Latta, which, if entered, would’ve given the attackers access to Latta’s account.
Thankfully, Latta was able to spot the red flags and by this point, was already suspicious enough to avoid handing his account over – but the scammer got close, Latta admitted.
“Literally 1 button press from being completely pwned. And I’m pretty technical!”
This particular attack has made Google up its defenses in response.
“We’ve suspended the account behind this scam, which abused an unverified Workspace account to send these misleading emails” a Google spokesperson told TechRadarPro.
“We have not seen evidence that this is a wide scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign up to further protect users.”
Google also reiterated: “Google will not call you to reset your password or troubleshoot account issues.”
The news follows a trend of cybercriminals deploying smarter and more frequent attacks, in part enabled by the advent of AI. This particular scam even bypassed MFA and used a legitimate Google domain, so even the most tech-savvy among us should be on the lookout.
Escaping phishing attacks
What’s concerning about this scam in particular is that it has found workarounds for some of the classic tell-tale signs of a scam. As Latta said,
“The thing that’s crazy is that if I followed the 2 “best practices” of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.”
Checking the legitimacy of the email and phone number is pretty much the first recommendation for any unexpected communications – and that’s still good advice, but clearly it will only filter out the lower level attacks at this point. If you’re not sure what exactly a phishing attack is, we’ve put together an explainer.
That said, remaining suspicious of any and all unknown communications, especially those urging action, really is the best defense against phishing attacks.
In the kindest way possible, it’s unlikely you’re important enough for Google to be concerned enough to call you about your personal email account – so be very wary of anyone reaching out to you out of nowhere.
A Google spokesperson told TheRegister, “As a reminder, Google will not call users to reset their passwords or troubleshoot account issues, so feel free to treat any incoming calls as the garbage they are.”
Look out for any obvious markers, like bad spelling or grammar – and be mindful of which organizations would already know your name – it’s unlikely your bank would start an email with ‘Dear customer’.
Alongside that, avoid clicking any links on emails from people you don’t know, and don’t open attachments or scan QR codes either. If you’d like more detail, take a look at our full phishing defense and how to stop it.
Another layer of defense against scams, is using the best identity theft protection, which can help if you do accidentally click the wrong thing.