Associated Incidents
If you get a message from Gmail that someone has tried to recover your account, beware. A Microsoft consultant, Sam Mitrovic, recently detailed attempts by hackers to target the web-based free email system after being targeted by the sophisticated scam himself. We know that people are usually the weakest part of any digital security system, which is why "phishing" scams that attempt to convince a human to give away security info that allows hackers to break into systems often makes news. But in the AI era, it seems like automated artificial intelligence-powered systems are making the whole process much simpler.
Mitrovic's blog post on the hacking attempt calls it a "super realistic" AI-powered attempt at a Gmail account takeover, tech news site Tom's Guide reports. When Mitrovic was targeted, he first got a notification that someone had tried to "recover" his Gmail account. This is a legitimate process that users can go through if they're lost access, for example by forgetting a password. Savvy to a potential scam, Mitrovic denied the request. Inside an hour Mitrovic then missed a phone call seeming to come from Google's Sydney offices (Mitrovic is based in Australia.)
A week later he got another recovery request, and another phone call---which he answered. And this is where things get creepy. An American-sounding voice claimed to be calling from Google support to warn Mitrovic of "suspicious" activity on his Gmail account. Mitrovic asked for an email confirmation, and while he was studying the email that was sent---which turned out to be a subtle fake that possibly only an expert could identify---he paused talking on the phone. Then the other voice on the line tried a few "hellos" to reconnect with Mitrovic, and it was at this point he realized it was an AI-generated fake: "the pronunciation and spacing were too perfect," he said. He hung up.
This is absolutely terrifying. Think about it. A hacker was able to set up an AI-powered system that could carry out a multi-stage scam involving several different digital security systems to get a user to give away login information.
Before the advent of AI, a scam like this would have needed a real person to make this sort of phone call. Now, merely by clicking a button a hacker could launch hundreds or possibly thousands of such attacks at once. And then, when they had access to the accounts of the fraction of the users that fell for the scam, they could leverage the freshly-hacked Gmail accounts to make money, perhaps asking for a "ransom" so users could regain access.
A similar AI-powered scam hit the headlines earlier this year simply because of the scale of the theft that happened: a Hong Kong-based banking company suffered a $25 million hit thanks to a similar sort of multi-layered AI phishing attack that involved an AI-faked personality pretending to be the company CFO.
Why should you care about this, though? Because Gmail has some 2.5 billion users, Forbes reports. And some estimates suggest that around 5 million businesses use Gmail for their email provider globally, with an estimated 60 percent of small businesses relying on the service. This makes great financial sense for a small or solo-person enterprise: you get all of the convenience of using Google's sophisticated tools for zero cost---more profit! But smaller businesses may also have smaller, or wholly outsourced IT teams. Most workers' tech expertise isn't focuses on in the tech sphere.
This is another great reminder that your team needs to be extra careful when dealing with unexpected emails. Falling for a scam nowadays is much easier than avoiding the "send $5 million to a Nigerian prince" rip-offs of yesteryear---now you have to tell your staff they may even get highly convincing AI-powered phone calls too.