New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed

October 13, 2024

Davey Winder – Senior Forbes Contributor

Davey Winder is a veteran cybersecurity writer, hacker and analyst.

Updated Oct 13, 2024, 11:33am EDT

Update, Oct. 13, 2024: This story, originally published Oct. 11, includes details of a new Google anti-scam alliance initiative, a new warning about legitimate-looking support scams and details of Google’s Advanced Protection Program to protect high-risk accounts.

Google has implemented increasingly sophisticated protections against those who would compromise your Gmail account—but hackers using AI-driven attacks are also evolving. According to Google’s own figures, there are currently more than 2.5 billion users of the Gmail service. No wonder, then, that it is such a target for hackers and scammers. Here’s what you need to know.

The Latest AI-Driven Gmail Attack Is Scary Good

Sam Mitrovic, a Microsoft solutions consultant, has issued a warning after almost falling victim to what is described as a “super realistic AI scam call” capable of tricking even the most experienced of users.

It all started a week before Mitrovic realized the sophistication of the attack that was targeting him. “I received a notification to approve a Gmail account recovery attempt,” Mitrovic recounts in a blog post warning other Gmail users of the threat in question. The need to confirm an account recovery, or a password reset, is a notorious phishing attack methodology intended to drive the user to a fake login portal where they need to enter their credentials to report the request as not initiated by them.

Unsurprisingly, then, Mitrovic wasn’t falling for this and ignored the notification that appeared to originate from the U.S. and a missed phone call, pertaining to be from Google in Sydney, Australia, some 40 minutes later. So far, so relatively straightforward and easy to avoid. Then, almost exactly a week later, the fun started in earnest—another notification request for account recovery approval followed by a telephone call 40 minutes later. This time, Mitrovic didn’t miss the call and instead picked up: an American voice, claiming to be from Google support, confirmed that there was suspicious activity on the Gmail account.

Forbes Daily: Join over 1 million Forbes Daily subscribers and get our best stories, exclusive reporting and essential analysis of the day’s news in your inbox every weekday.Sign Up

By signing up, you agree to receive this newsletter, other updates about Forbes and its affiliates’ offerings, our Terms of Service (including resolving disputes on an individual basis via arbitration), and you acknowledge our Privacy Statement. Forbes is protected by reCAPTCHA, and the Google Privacy Policy and Terms of Service apply.

“He asks if I’m traveling,” Mitrovic said, “when I said no, he asks if I logged in from Germany, to which I reply no.” All of this to engender trust in the caller and fear in the recipient. This is when things turned dark fast and really rather clever in the overall scheme of phishing things. The so-called Google support person informed Mitrovic that an attacker had accessed his Gmail account for the past 7 days, and had already downloaded account data. This rang alarm bells as Mitrovic recalled the recovery notification and missed call from a week earlier.

For full story, check it out on Forbes website.

FEMA warning about Hurricane Helene false information and scams

October 4, 2024

ATLANTA – North Carolinians should be aware that con artists and criminals may try to obtain money or steal personal information through fraud or identity theft after Tropical Storm Helene. In some cases, thieves try to apply for FEMA assistance using names, addresses and Social Security numbers they have stolen from people affected by the disaster.

If a FEMA inspector comes to your home and you did not submit a FEMA application, your information may have been used without your knowledge to create a FEMA application. If this happens, please inform the inspector that you did not apply for FEMA assistance so they can submit a request to stop further processing of the application.

If you did not apply for assistance but receive a letter from FEMA, please call the FEMA Helpline at 800-621-3362. The helpline will submit a request to stop further processing of that application.

If you do want to apply for FEMA assistance after stopping an application made in your name without your knowledge, the helpline will assist you in creating a new application.

Scams

FEMA Disaster Survivor Assistance (DSA) crews, housing inspectors and other officials will be working in areas impacted by Tropical Storm Helene. They carry official photo identification badges. FEMA representatives never charge applicants for disaster assistance, inspections or help in filling out applications. Their services are free.
Don’t believe anyone who promises a disaster grant in return for payment.

Don’t give your banking information to a person claiming to be a FEMA housing inspector. FEMA inspectors are never authorized to collect your personal financial information.

If you believe you are the victim of a scam, report it immediately to your local police or sheriff’s department or contact North Carolina Attorney General’s Office at 877-566-7226 or visit ncdoj.gov/protecting-consumers/.

If you have knowledge of fraud, waste or abuse, you can report these tips – 24 hours a day, seven days a week – to the FEMA Disaster Fraud Hotline at 866-720-5721. You can also email StopFEMAFraud@fema.dhs.gov to report a tip.

For the latest information about North Carolina Tropical Storm Helene recovery, visit fema.gov/disaster/4827. Follow FEMA on X at x.com/femaregion4 or on Facebook at facebook.com/fema.

New Google Chrome Warning—You Must Never Copy And Paste This Text

From Forbes

A technically complicated warning for Google Chrome users has just been issued, but thankfully it’s one with a stupidly simple instruction that you must follow to avoid being attacked.

The warning comes courtesy of Proofpoint, which says it has “observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.”

The research team suggests multiple treat actors have been using the technique, delivering various forms of malware in the process. It’s easy to spot, though, and so once aware users should find it very easy to prevent an infection. These are actually instructions you should be following anyway.

For the complete story, check it out on Forbes.com

New Google Chrome Warning—You Must Never Copy And Paste This Text

From Forbes

A technically complicated warning for Google Chrome users has just been issued, but thankfully it’s one with a stupidly simple instruction that you must follow to avoid being attacked.

The warning comes courtesy of Proofpoint, which says it has “observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.”

The research team suggests multiple treat actors have been using the technique, delivering various forms of malware in the process. It’s easy to spot, though, and so once aware users should find it very easy to prevent an infection. These are actually instructions you should be following anyway.

For the complete story, check it out on Forbes.com

How to Spot and Report Mail Scams

From the Texas Attorney General

Learn how to recognize mail scams, file a complaint when appropriate and protect your personal and financial information.

Consumers’ mailboxes are regularly stuffed with unsolicited mail. Most of it is harmless but pesky junk mail offers – but there is a risk it could be a mail scam. 

How to Spot a Mail Scam

Mail scammers will try to get your attention in various ways – ranging from exciting offers to intimidating threats. Regardless of their message, the goal of a mail scam is to get you to either send money or provide your personal information. 

Below are common warning signs of a mail scam: 

  • A claim that you have been specially selected
  • A request that you “confirm your personal information”
  • A request for payment by means other than credit card – including cash, gift card, wire transfer or private courier 
  • Use of suspicious official-looking documents or fake government seals
  • A request for your credit card or other payment mechanism for “shipping and handling”
  • Use of threats if you don’t comply – even the threat of arrest 

If you recognize any of these warning signs, stop reading and do your homework. If you suspect it is a scam, file a complaint with the Office of the Attorney General. 

Learn more about tactics used by all scammers on our How to Spot and Avoid Common Scams page.

Although not all junk mail is a scam, you can be proactive about decreasing junk mail in order to reduce your risk of being scammed. 

Remove Your Name from Mailing Lists

To help reduce the amount of junk mail you receive, you can remove yourself from some mailing lists. To do so, register with the Direct Marketing Association’s Mail Preference Service. There is a processing fee of $5 to remove yourself for a period of five years.

Opt-Out of Credit Offers

You can also limit the number of pre-approved credit offers you receive by removing your name from the marketing lists of consumer credit reporting companies. Visit OptOutPreScreen.com to learn more on  how to request to opt-out of offers of credit or insurance. You have the choice of opting out of receiving offers for five years or opting out of receiving them permanently. 

Contact Your Credit Card Company and Bank

If any of your credit card companies send random-issue convenience checks, request in writing to be removed from that mailing list. 

Contact your bank about its privacy and information policies. If they provide your account information to third parties, you maybe able to request to opt-out of this practice.

How to Recognize and Avoid Phishing Scams

Scammers use email or text messages to trick you into giving them your personal and financial information. But there are several ways to protect yourself.

How To Recognize Phishing

Scammers use email or text messages to try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could get access to your email, bank, or other accounts. Or they could sell your information to other scammers. Scammers launch thousands of phishing attacks like these every day — and they’re often successful.

Scammers often update their tactics to keep up with the latest news or trends, but here are some common tactics used in phishing emails or text messages:

Phishing emails and text messages often tell a story to trick you into clicking on a link or opening an attachment. You might get an unexpected email or text message that looks like it’s from a company you know or trust, like a bank or a credit card or utility company. Or maybe it’s from an online payment website or app. The message could be from a scammer, who might

  • say they’ve noticed some suspicious activity or log-in attempts — they haven’t
  • claim there’s a problem with your account or your payment information — there isn’t
  • say you need to confirm some personal or financial information — you don’t
  • include an invoice you don’t recognize — it’s fake
  • want you to click on a link to make a payment — but the link has malware
  • say you’re eligible to register for a government refund — it’s a scam
  • offer a coupon for free stuff — it’s not real

Here’s a real-world example of a phishing email:

Imagine you saw this in your inbox. At first glance, this email looks real, but it’s not. Scammers who send emails like this one are hoping you won’t notice it’s a fake.

Here are signs that this email is a scam, even though it looks like it comes from a company you know — and even uses the company’s logo in the header:

  • The email has a generic greeting.
  • The email says your account is on hold because of a billing problem.
  • The email invites you to click on a link to update your payment details.

While real companies might communicate with you by email, legitimate companies won’t email or text with a link to update your payment information. Phishing emails can often have real consequences for people who give scammers their information, including identity theft. And they might harm the reputation of the companies they’re spoofing.

For more, visit the Federal Trade Commission Consumer Advice website

Learn the Warning Signs of ‘Military Scams’

9 minute read • Jan. 23, 2024 – Military One Source

Your military friend or family member serves our country with integrity and honor. Unfortunately, there are scammers out there who try to take advantage of that service to cheat them and you. You can help protect your service member against military scams by learning the warning signs of schemes that target those in the military community.

Rental Property Scams

These scams target military personnel looking for housing near a base. Scammers pretend to be real estate agents and post fake ads for rental properties on websites, sometimes promising military discounts and other incentives. They try to get service members to send them money for fees and deposits upfront – and the victim ends up with no money and no place to live.

If someone insists on receiving money or other payments before a property has been seen, it is probably a rental scam.

DFAS/MyPay Phishing Scams

These schemes try to steal a service member’s identity by getting Social Security numbers, bank accounts and other personal information. The scammer pretends to be from the Defense Finance and Accounting Service or another military group and contacts members or their spouses by phone, email or text. They may claim that due to computer problems, your information was lost and needs to be reentered to process payments. In other cases, their emails contain links or attachments that can put malware on computers to steal passwords and account information.

Your service member should never give personal information on the phone – or click on links in emails – from someone they don’t know. Also, DFAS and other military organizations never ask for personal financial information, account numbers or passwords.

Get Connected to Military Life: Official eNewsletter

Keep in touch with the cadence of military life, understand its rich traditions and learn ways to support your service member with the Friends & Family Connection eNewsletter.

Payday Loans

Is your friend or family member having trouble making ends meet? If they are considering getting a short-term payday loan to tide them over, they may be setting themselves up for long-term financial trouble.

“Short-term,” “personal” or “payday” loans are unsecured loans for small amounts – generally $500 or less – that charge big interest rates and fees. (A typical two-week payday loan charging $15 per $100 borrowed equals an annual percentage rate of almost 400%.) Many payday loan companies operate online and advertise “fast cash” and “no credit required.”

Active-duty service members are protected from payday loans by the Military Lending Act, which keeps lenders from gouging military personnel with high interest rates and fees. 

For the rest of the story, visit www.militaryonesource.mil

8 Scams That Senior Medicare Patrols Are Seeing Now

By Kimberly Lankford – AARP

Published November 15, 2023

Senior Medicare Patrol volunteers are often the first to identify new Medicare scams because they meet one-on-one with Medicare beneficiaries. Here are some of the top scams they’re seeing and what you can do to protect yourself:

1. A new round of COVID fraud

During the height of COVID-19, criminals offered free coronavirus tests as a way to gather people’s Medicare numbers and other personal information and file fake claims in their name.

“Somebody calls unsolicited, offering to send a COVID test,” says Tiffany Erhard, New York state Senior Medicare Patrol director. “They aren’t sending real tests, but they’re billing as if they are, and they’re taking the person’s information to use it unscrupulously or sell it.”

After a major investigation, the Department of Health and Human Services Office of Inspector General charged 18 defendants in nine federal districts across the U.S. for making more than $490 million in COVID-related false billings.

The scam died down but resurfaced near the end of the public health emergency, which officially expired May 11, 2023. Senior Medicare Patrols reported seven COVID complaints in January 2023, then suddenly had 72 in April.

“They’re using the end of the public health emergency to try to get personal information and Medicare numbers,” says Director Rebecca Kinney of the Administration for Community Living’s office of health care information and counseling. Her division of the U.S. Department of Health and Human Services (HHS) finances the Senior Medicare Patrol program.

Note: You can get four free COVID tests in the mail by requesting them at covid.gov/tests.

2. Bills for diabetes supplies

Volunteers in the Lone Star State report an increase in diabetes supply scams, says Diane Nguyen, program director for the Texas Senior Medicare Patrol.

Claims for continuous glucose monitoring devices are showing up on Medicare summary notices for people who don’t have diabetes and didn’t receive the device, she says. The scammers charge Medicare.

“The only reason we are seeing these cases is that people are checking their Medicare summary notices,” Nguyen says.

For more, read the full article at AARP

Everything You Need to Know About Facebook Marketplace Scams

By Patrick J. Kiger,  – AARP

Published January 16, 2024

When U.S. Air Force veteran Amanda Pelletier, 49, set out to decorate the new home in Spring Branch, Texas, that she and her husband, Michael, 52, had purchased after their retirement from the military, she needed some side tables and other pieces of furniture. Like many people these days, she searched online and connected with a seller through Facebook Marketplace, the popular shopping site that’s part of social media platform Facebook.

Pelletier felt safe with her seller, who dealt in refurbished furniture and had previously sold a piece to Pelletier’s adult daughter. “I thought I was dealing with a real businessperson,” she explains.

Join AARP for $12 for your first year when you sign up for Automatic Renewal. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine

Pelletier ordered $4,200 worth of items, sending the money through a payment app that she says the seller insisted on using, and waited for her furniture to arrive. But it never did. Instead, the seller “started giving me excuses why she couldn’t deliver, like she got sawdust in her eye from doing the refurbishing,” Pelletier says. “It just snowballed, and got worse and worse.” Eventually, she realized “I was being scammed.”

Pelletier isn’t the only shopper who’s encountered a scammer on Facebook Marketplace, which debuted in 2016 as a rival to Craigslist and has grown into a massive e-commerce site where users can shop for everything from toys and pet supplies to used cars and houses. While Facebook Marketplace is a good place to find just about anything you might be looking to buy, the site’s popularity also attracts criminals who use a variety of scams to steal shoppers’ money, including peddling wares they never actually send.
Play Video

Sellers, too, are often inundated by messages from scammers, some of whom may be trying to get their personal information, the Better Business Bureau (BBB) recently warned. It noted that criminals have been asking sellers for their phone numbers so that they can text them a verification code — part of a process they can use to commit identity theft.

Facebook Marketplace’s size and familiar brand name may lull some shoppers into complacency, says Amy Nofziger, director of victim support for the AARP Fraud Watch Network. “But people need to understand that just because it’s on a big platform like Facebook, that doesn’t mean that anyone is vetting the sellers,” she cautions. “You have to go into it with eyes wide open.”

For full story, visit the AARP website