FBI: Beware of a New Google Voice Authentication Scam – Even if You Don’t Use Google Voice!

A new advisory warns of a scam that can affect literally anyone designed as a precursor to additional vishing scams and/or to perform Gmail account takeovers.

If you’re unfamiliar with Google Voice, it is a service where Google provides you with a virtual phone number so you can make and receive calls and texts. Assuming you are unfamiliar with it, you may be wondering what’s all the excitement about?

According to a new FBI advisory entitled “Building a Digital Defense Against Google Voice Authentication Scams”, the FBI outlines a scam that involves a threat actor responding to a personal ad – they use the example of selling a couch on craigslist or some other site – and says they want to make sure you are legitimate so they don’t get scammed by sending you an authentication code from Google.

What’s really happening is they scammer is setting up Google voice using your phone number as the primary number and using you to assist them with Google’s authentication process during setup. Once completed, the threat actor has a new Google Voice account tied to your mobile phone, so they can carry on without worrying about having it tied to their phone. Additionally, the code being sent could be purposed to allow them access to reset the password to your Gmail account.

Organizations relying on Gmail for corporate email should be specifically concerned about the ramifications of such a scam; with access to one of your internal email accounts, threat actors can easily spray out phishing emails designed to provide endpoint access or install ransomware.

Users should be educated about this and other such scams using ongoing Security Awareness Training. Through repeated exposure to phishing and scam scenarios, users build up a sense of vigilance against these kind of attacks, spotting them instantly, and reducing the organization’s risk of successful attack.