Security & Privacy

AI scam bots are trying to “recover” your Gmail account

Posted on by

Did you get an unexpected alert from Google asking “Is it you trying to recover your account?” Or did you receive a phone call that seems to be from a Google call center, claiming there’s “suspicious activity”? You might be the target of an AI-powered account takeover scam.

It’s hard to believe that we’re at the point where hackers use AI voice bots to social-engineer people and hack into accounts. And yet, here we are.

Let’s break down the scam and how it works. Here’s what you should do now to avoid having your Google or Gmail account hacked.

In this article:

The “Is it you…?” alert on your phone

You may have a Google app installed on your phone, such as Gmail. If so, and if someone tries to hack into your Google account, you may get an alert delivered via a push notification, similar to the following:

Is it you trying to recover your account?

[your Google avatar and Gmail address]

Device
Google Support: [alleged support rep’s name]

Near
California, USA [or any other location]

Time
Just now

(❌ No, don’t allow)  (✅ Yes, it’s me)

No matter what the “Device” line says in the alert you received, the source device is definitely not a Google Support representative trying to recover access to your account for you. It’s always an attacker trying to break into your account (again, unless you personally tried to recover your account at that exact moment).

If you ever get an alert similar to this when you aren’t expecting it, always click on the “❌ No, don’t allow” button. Then be sure to follow the steps in the “How to avoid getting hacked” section below.

(Note that the push notification will be from the Google or Gmail app itself, not from an e-mail. If you see something like the above in the body of an e-mail message, don’t click on anything.)

The AI-voice phone call and follow-up e-mail

In this particular scam, you might also get a follow-up telephone call. It might even look like it comes from a Google phone number—but scammers can easily spoof this.

And it might sound like a real person—in theory, it might be. But in recent attacks, hackers have been deploying artificial intelligence bots with realistic-sounding voices instead. Because they’re powered by AI, they can plausibly respond to your questions or concerns.

Often, call recipients are skeptical. During the call, the bot may send an e-mail to your Gmail account that, at first glance, might appear legitimate. It may even appear to be sent from an “@google.com” address; again, this is spoofable. It might be sent to, or CCed to, an address at “internalcasetracking(.)com”—a domain that was registered three months ago, and doesn’t belong to Google.

Typically, the body of the e-mail refers to an “Agent” followed by the name the bot gave you. It often claims, “Your Case #[8-digit number] for Google Workspace has been updated.” The e-mail often signs off with “Thank you for your cooperation” followed by “Best regards, Google Account Security Team.”

This e-mail doesn’t actually come from Google—even if it looks like it might. In reality, it’s a scam. If you get such a message, please use the “Report phishing” option in Gmail.

How to avoid getting hacked

If you get an “Is it you…?” alert like the one above, it’s critically important to first say “❌ No, don’t allow,” and then change your password and enable two-step verification for your Google account. You should do both via the official Google site linked below. (You shouldn’t trust any supposed Google links you got via e-mail, text message, or even Google search results.)

Why is it important to change your password and enable two-step verification?

Changing your password to something long, complex, and unique—never used elsewhere is crucial to ensure that someone can’t find your password in a data breach. And enabling two-step verification (also called two-factor authentication) provides an additional layer of protection for your account.

You might not realize it, but your e-mail account is one of the ones you need to protect the most. Think about this: most sites offer a “reset password” function. How do these typically work? They send you an e-mail with a password reset link. Now imagine what an attacker can do if they get access to your e-mail. It becomes clear that safeguarding your e-mail account should be a high priority for everyone.

Other scams to watch out for: Apple, sextortion, and fake invoices

We’ve previously covered a number of scams on The Mac Security Blog, including some that have similarities to this one. Common scams you should beware of include the following:

Be sure to sign up for our free e-mail newsletter to stay up to date on the latest scams and threats to your security and privacy.

How can I learn more?

To read more about this AI voice scam, see this X post from Garry Tan and deep-dive blog post by Sam Mitrovic.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on LinkedIn Follow Intego on Pinterest Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →