Security alerts from tech companies are supposed to warn us when something might be amiss—but what if the alerts themselves are the risk? Scammers have long impersonated tech companies’ security and support staff as a way to sniff out users’ login credentials, and reports suggest that they’re doing it again, at scale.
The attack goes like this: Victims get an email or phone call allegedly from Google support that warns someone has tried to hack their account. The best way to protect themselves is to reset the password, the scammer says.
They then send a separate account reset email to the victim, who dutifully enters their login credentials. The account includes a code that the victim must read out to verify that they’re legit. The support staff say they’ll enter this code to reset the system, but they’re using those precious extra few seconds to hijack the victim’s account.
Someone posting to Reddit described getting a call from someone in California who claimed to be from Google.
“He was trying to actively recover my account and steal possession of it, while on the phone with me,” the Redditor said, adding that they challenged the caller, calling them a scam artist. The caller then upped the ante, asking them to look up their number, which showed up on caller ID, and even to hang up and call the number back. “He was completely bluffing — as when you call that number you cannot get a human on the line,” said the Redditor. “They don’t staff that line with agents.”
This scam, reported by Forbes, is just one example of how imposters build trust by pretending to be from tech companies. Last month, the Federal Trade Commission also warned Amazon customers of fake refund mails. The scam messages tell customers that a product they were sent failed to pass an Amazon quality check, and asks them to click a link for a refund. The link, of course, is malicious and leads to information theft.
This kind of thing might leave users worried. After all, if you can’t trust messages purporting to be from your technology provider, then who can you trust?
Companies often have guidance to help prepare you for such scams. Google’s guide to verifying security alerts says that the company will never take you to a sign-in page or ask you to verify yourself. It also says that all legitimate messages will appear on the Security page of your Google account, under “Recent security activity.” Amazon also has a page on identifying scams.
Our favorite comment came from the same Redditor who posted about the Google scammer: “The best thing I’ve read regarding these attempts is ‘Google will NEVER call you out of the blue. They don’t care about your account’” they said. Snarky, but likely true. “Be highly suspicious and never give anyone a code or password and never accept those recovery prompts unless you are 10000% certain YOU issued them.”
We don’t just report on scans—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
