A security expert has issued a global warning to Gmail users after uncovering a sophisticated scam designed to hijack Google accounts.
Microsoft security consultant Sam Mitrovic revealed how he almost fell victim to the scheme, which could have given cybercriminals full control over his Google account.
In a blog post, Mitrovic described receiving an unusual phone call from someone claiming to be from Google. This followed a suspicious notification he’d received about a Gmail account recovery request. Typically, such notifications are triggered when someone attempts to reset their login credentials.
Though Mitrovic initially denied the recovery request, it reoccurred a few days later. When he answered the call, he was met with an American-sounding voice, despite the call originating from an Australian number. After a brief conversation, Mitrovic asked the caller to send an email for verification. While the email appeared legitimate at first glance, Mitrovic quickly realized it had been spoofed—a deceptive tactic used by the scammers.
The security expert then noticed something odd: the voice on the other end repeated phrases with unnatural precision, leading him to suspect it was AI-generated. “The pronunciation and timing were too perfect,” he wrote.
Upon further investigation of his Google account activity, Mitrovic confirmed there had been no unauthorized access. He concluded that the scammers were attempting to trick him into approving the account recovery, which would have allowed them to take control of his account.
“If I’d stayed on the call, they likely would have asked me to approve the recovery notification, which would have handed them access,” Mitrovic warned.
What sets this scam apart is the level of sophistication. The phone number appeared to be from Google’s Australian office, and the email used convincing spoofing techniques. Mitrovic believes these elements make the scam more credible and likely to deceive many people.
“The attention to detail, like spoofing email addresses and using a legitimate-looking phone number, made it seem authentic. Many people could easily fall for this,” he explained.
Mitrovic cautioned Gmail users to be on high alert for such scams, noting that cybercriminals are becoming more advanced in their methods. He emphasized the importance of vigilance and conducting basic checks when receiving unexpected calls or emails asking for personal information.
“Scams like this are becoming more sophisticated, and the tactics are harder to spot. The best defense is to stay vigilant and verify everything before taking action,” he advised.
He reminded users that companies like Google rarely reach out by phone or email to request personal information or account access. If someone gains control of a Gmail account, they can access sensitive information, impersonate the user, or compromise other linked Google services.
Mitrovic’s key message to Gmail users is simple: stay cautious and never approve suspicious account recovery requests without thorough verification.
