Gmail security warning for 2.5 billion users—AI hack confirmed
Tidings True: This story, originally published Jan. 30, has been updated with a statement from Google as well as comment from a content control security expert about the sophisticated Gmail AI attack.
Hackers are hiding in plain sight, avatars are being used in new attacks, and there have even been reports of perpetual 2FA-bypass threats against Google users. What a great time it is to be alive if you’re a criminal hacker, though calling this latest scary hacker alive would be a bit of an exaggeration: Be careful, this malicious AI wants your Gmail credentials.
Victim calls latest Gmail threat ‘most sophisticated phishing attack ever’
Imagine getting a call from a number with a Google caller ID from a U.S. support technician warning you that someone has compromised your Google account, which has now been temporarily blocked. Imagine that support person confirms this by sending an email to your Gmail account, as you requested, and sent from a real Google domain. Imagine you asking about the phone number and asking if you can call them back on it to make sure it’s real. They agreed after telling you it was listed on google.com and said there might be a wait while on hold. You checked and it was listed, so you didn’t make that call. Imagine you’re sent a code from Google to be able to reset your account and take back control and you almost click on it. Fortunately, by this stage Hack Club founder and almost victim Zac Latta had figured out that this was an AI-powered attack, although in reality it was a very clever one.
If this sounds familiar, that’s because it is: I first warned about such AI-powered attacks against Gmail users on October 11 in a story that went viral. The methodology is nearly identical, but the warning to all of Gmail’s 2.5 billion users is the same: Be aware of the threat and don’t let your guard down for a minute.
“Cybercriminals are constantly developing new tactics, techniques and processes to exploit vulnerabilities and circumvent security controls, and companies must be able to quickly adapt and respond to these threats,” said Spencer Starkey, vice president at SonicWall. “This requires a proactive and flexible approach to cybersecurity, including regular security assessments, threat intelligence, vulnerability management and incident response planning.”
Master Your Marketing Strategy: The Ultimate Guide to Dominating Your Industry in 2025!
Mitigating AI-attacks against your Gmail account credentials
All the usual phishing mitigation advice goes out the window when talking about these super-sophisticated AI attacks – well, at least a lot of them –. “She sounded like a real engineer, the connection was very clear, and her accent was American,” said Laita. This mirrors the description in my story in October when the attacker was described as “super realistic,” although then there was a pre-attack phase where notifications of compromise were sent seven days beforehand to prepare the target for the call.
The original target is a security consultant, which possibly saved them from falling victim to an AI attack, and the latest potential victim is the founder of a hacking club. You may not have the same technical experience as these two, who both almost lost, so how can you stay safe?
“We have suspended the account behind this scam,” a Google spokesperson said. “We have not found evidence that this is a wide-scale strategy, but we are hardening our defenses against abusers who leverage g.co references in sign-ups to protect users.”
“The speed at which new attacks are being launched makes them more adaptive and harder to detect, which presents an additional challenge for cybersecurity professionals,” Starkey said. “From a high-level business perspective, they must constantly monitor their networks for suspicious activity, using security tools to identify where logins are occurring and on what devices.”
For everyone else, especially consumers, if someone calls you claiming to be from Google Support, stay calm and hang up, because they won’t call you.
If in doubt, use resources like Google Search and your Gmail account to investigate that phone number and see if your account has been accessed by someone unfamiliar to you. Use the web client and scroll to the bottom of the screen where, at the bottom right, you’ll find a link to reveal all recent activity on your account.
Finally, pay special attention to what Google says about staying safe from attackers who use Gmail phishing scam hack attacks.
How to Start a Blog in 2025 for Free (Step-by-Step Guide in Hindi)
(Read the latest news of the country and the world first on TalkAaj (Talk Today News), follow us on Facebook, Twitter, Instagram and YouTube)
