The US Federal Bureau of Investigation has issued a warning about a new wave of Google Voice authentication scams tricking people into giving attackers their Gmail credentials.
Google Voice is a service that lets people set up a virtual phone number, which customers can use for both domestic and international calls. It can even send and receive text messages. But attackers can also use this functionality to trick people into volunteering information that eventually leads to criminals gaining access to their Google services. What’s worse is that you don’t even need a Google Voice account to be targeted.
If you have ever posted your phone number anywhere online, threat actors can access it. People post their phone numbers when they’re trying to sell something, for example. Some recent reports indicate that people who posted announcements about lost pets have been targeted as well.
“The scammer contacts you via text or email. He is really interested in buying that couch or thinks he found Fluffy,” explained FBI in their advisory. “He says he just needs to make sure you are legitimate so he doesn’t get scammed. He says he will send you an authentication code from Google to confirm that you are a real person and not a bot.”
“You will receive that authentication code in the form of a voice call or a text message. He asks you to repeat that number to him.”
The attacker is doing something else with the authentication code – he’s setting up a fake Google Voice account for use in various other frauds, making it very difficult to trace to the actual criminal. Moreover, the attacker can use the same authentication code to access Gmail or other Google services.
Google offers advice on reclaiming the Google Voice account if you get scammed. The FBI also listed advice on how to avoid getting scammed in the first place:
Here are some ways to avoid getting scammed in the first place:
· Never share a Google verification code with others.
· Only deal with buyers, sellers and Fluffy-finders in person. If money is to exchange hands, make sure you are using legitimate payment processors.
· Don’t give out your email address to buyers/sellers conducting business via phone.
· Don’t let someone rush you into a sale. If they are pressuring you to respond, they are likely trying to manipulate you into acting without thinking.