7 comments

[ 4.1 ms ] story [ 39.1 ms ] thread
It's wild how quickly this rumor spread across major news sources, and yet I was unable to find a primary source at all. I wonder how this started.
Completely useless corporate speech. The whole text contains zero more information than the headline. I would have expected at least some information what are the false claims.
Don't know what the news says, but today morning I got a call from a "James Wilson" claiming to be from Google. He knew my email address (and phone number obviously) and told me that someone was attempting to change my phone number. He wanted to do a security authorization or something where I guess I would have been asked to divulge more information about my account.

When I asked him to prove he was from Google, he didn't seem fazed at all and said he would send me an email from a google.com email to prove it, and gave me his name and "employee ID". We kept talking and he said the email should show up and it was sent from his side, but the email never came. I then said I'd call google support and ask to speak with him instead - he was still unfazed. I did call Google support (im on Google One for Gemini access so luckily I actually have access to a phone number I can call), and they said it was likely a phishing attempt. I did suspect scam from the start, but it did seem a tad more professional and polished than the usual scams - the person really sounded professional, good voice quality, there wasn't a whole lot of noise in the background, they weren't fazed by my attempts at verification and just tried to dodge them hoping I wouldn't notice instead, they didn't try any pressure/urgency tactics like scammers often do.

So this news is real.. as far as I can tell they were able to connect my email address to my phone number via a leak from Google. They were trying to escalate that into further access.

I was able to break through the scam veneer on one of these calls. It was remarkably professional up until I outright called him out and told him how I knew it was a scam (the email "from Google" didn't have the right headers, he missed a bit of the terminology, didn't recognize a term, and the caller ID number was listed as being used for this scam).

I asked where he got my information, and he claimed he pulled it from Github and cross-referenced it with a large public dump.

I think it’s a lot likelier that some other company which has both your phone and email was breached, and conveniently the domain in your email tells them who you use as your email provider, which they can then pose as.
>While it’s always the case that phishers are looking for ways to infiltrate inboxes, our protections continue to block more than 99.9% of phishing and malware attempts from reaching users.

Let's see, things that bypass the filters:

1. Using <yourgmailaddressfirstpart>@google.com which causes a mail delivery error bot bounce to @gmail.com with the spam/malware content

2. Using thousands of bot created gmail.com accounts because the gmail domain has immediate reputation within gmail