Heads up: new Google support scam uses a REAL email from Google
Posted by murkr@reddit | sysadmin | View on Reddit | 159 comments
Just got a call from some American guy, maybe in his 20s, telling me someone was trying to swap the phone number on my Gmail account. I told him I don't care, I have TOTP 2FA on my account. He started getting agitated and said something like "oh that doesn't matter" and went on with some BS. I told him no way, you're lying.
That's when he goes "you think I'm f***ing lying?" and tells me to check my email.
Sure enough, a real email from noreply@google.com pops up in my inbox. His name and a case number right there in the subject line. I dug into the headers expecting to find some spoofing trick. Nope. Genuinely from Google's servers. DKIM, SPF, DMARC all checked out.
So here's how he pulled it off. He spoofed my email address in the "From" field and sent a message to a Google no-reply address, with his fake case info in the subject line. Google's autoresponder bounced back to the forged sender (me), so I got a real email from Google that looked like it confirmed him. Nothing in my Sent folder. No hack on my account. Just a forged From field and Google's robot doing what robots do.
Once I called BS, he started cursing at me, asking how much money I had in Coinbase, reading off my home address, telling me someone was going to come kick in my door. Honestly I wish I would've played along longer to see the full playbook, but I shut him down too quick.
This one is going to fool a lot of people because the "proof" email really is from Google. Is that anyway to report this to Google so they can stop this from happeing?
Rustyshackilford@reddit
Damn, yall are top harsh on this man. This is a pretty clever vector.
I get calls from vendors all the time. Its not an option to just not answer unknown callers. Contractors and vendor techs arent going to leave a VM usually.
These folks act like shower thought folks reacting to how they WOULD have dealt with a situation. You did fine.
Thanks OP for the insight. Stay safe.
Trash_Golem@reddit
I roll my eyes at all the "Don't answer unknown numbers" people. I'd love to have that privilege. Do these people think we WANT to answer our phone for work more often than we have to? Like we just take extra calls for fun? Whoopee!
_oohshiny@reddit
If your work expects you to be contactable by phone, they should provide a work phone.
Rustyshackilford@reddit
Well that still has nothing to do with the attack vector. Whats it matter whether is a personal device or work device. Still gotta answer the damn phone.
Rustyshackilford@reddit
My employer provides a $75 monthly reimbursement for using my phone for work.
_itsalwaysdns@reddit
I set up a new number for work and used an old iPhone I had laying around.
hologrammetry@reddit
Does it not also say "mail returned as undeliverable"? And you're posting this in r/sysadmin? 2026, I'm out.
Ok_Tap7102@reddit
I like to think I'm not a complete moron but it still took me at least 15 minutes to figure out what was happening when I got my first one, even though the original body was clearly some scam shit
Catch me on a me on a random phone call with 5 seconds heads up, I wouldn't bet my life on noticing it, but OP still did anyway
hologrammetry@reddit
Then why did it take you 15 more minutes to figure it out?
Ok_Tap7102@reddit
How it arrived to my inbox, creating a push notification if it was so clearly "Your iCloud account overdue $300", when genuine emails I get don't even ping me
Obviously it was unsolicited, but then my thoughts went to "but if it's a failed send then how are they spoofing my Gmail to Googles mail servers"
I think the part you're missing is that both OP and I are describing being out and about living our lives, away from the computer at least momentarily, a foreign concept I'm sure.
PKPenguin@reddit
Thinking you're so above things like these that you need not even regard them is how they get you btw
hologrammetry@reddit
I’m pretty sure that being incapable of identifying a scam and then writing a whole Reddit post about it is how they get you.
Mindless_Consumer@reddit
Dont. Give. Information. On. A. In-bound. Call.
murkr@reddit (OP)
I didnt give them anything
Mindless_Consumer@reddit
You confirmed your phone number is associated with thay email.
You confirmed security status.
You confirmed you are willing to talk to a scammer and provide information.
Sasataf12@reddit
OP doesn't mention giving out their email address or any other information (other than saying they have MFA setup).
I think you're overreacting.
Mindless_Consumer@reddit
How exactly am I overreacting?
Sasataf12@reddit
Can't be ascertained to be true from the information provided. Overreacted.
Not a big deal. Overreacted
Information provided is inconsequential. Overreacted.
Mindless_Consumer@reddit
So given the choice you would rather a scammer know the information they have on you is valid thab uncertain.
At the cost of what? A frustrating call with a scammer?
You gain nothing, the call only benefits them. Now multiply this by the millions of other calls. That are going to happen today.
Give one peice of advice to an elderly person to avoid getting scammed, what is it?
Do not. Give information. On a inbound call. End of story.
Sasataf12@reddit
I'd rather it be uncertain. But that's a fallacious proposition because the scammer already has your information. What can you say to change that?
"That's not actually my email address, so please delete that."
And what information did OP give exactly?
Mindless_Consumer@reddit
Lol are you really endorsing talking to scammers? Like this is the hill to die on for you?
This is basic ass advice, you're being a contrarian for like zero gain. I guess that tracks actually.
Sasataf12@reddit
No, no more than I'm endorsing jaywalking. But I don't see an issue with OP or anyone doing it, as long as they know what they're doing. Several streamers do it and make a good living off of it.
Basic ass advice for you maybe. If you're worried that scammers will successfully phish information from you, then it's smart advice to take.
Mindless_Consumer@reddit
You suspect OP here is back-hacking the scammers for YouTube views?
You think back-hackers reveal truthfully information to the scammers?
Sasataf12@reddit
No. Why would you think that?
No. Why would you think that?
Mindless_Consumer@reddit
Lol okay guy.
You have fun giving info to scammers. Enjoy your evening.
Sasataf12@reddit
OP didn't give any meaningful info to scammers...that's been explained many times. Not sure why you're still beating that drum.
You're overreacting if you think scammers knowing you have MFA enabled is a major problem.
Mindless_Consumer@reddit
Lol, you hate this peice of advice dont you.
Look buddy. You go talk to scammers. Ill not lose any sleep about it.
Oh if you get absolutely any benefit from it what so ever let me know.
Sasataf12@reddit
What piece of advice? Don't talk to scammers? I think it's a great piece of advice...just like don't jaywalk. But it's not a big deal if you do, as long as you know what you're doing.
OP obviously knows how to handle talking to scammers. I don't see why OP doing that has gotten such a strong reaction from you, especially when, by you own admission, you won't lose any sleep over it. Just weird.
Mindless_Consumer@reddit
Pretty sure you've made a bigger deal about this.
I get it man. Scammers. Gotta talk to em i guess.
Sasataf12@reddit
All I did was correct you by saying OP didn't give out any info. You decided to spin it into some conspiracy about helping scammers.
If people know what they're doing and want to talk to scammers, all power to them. I don't see why you're so against it.
Mindless_Consumer@reddit
Lol.
gioraffe32@reddit
I had a user who once came to me about a suspicious email. Several staff were CC'd on it, including to former staff (whose emails may not yet have been shutdown yet). After looking at it, I was like, "Yeah, looks like phishing. Good catch; just mark it as spam and delete."
Which he did. But not before he replied-all to the phishing email. It was something like "Nice try, but I know this is spam! You can't fool us!"
Sigh. I had to kindly go back to user and be like, "Well, you just confirmed to the phisher that your email address is actually an active inbox that is monitored by a person. And their emails are getting through. And since you replied all, the phisher may even assume that so are the rest of the company addresses. We may get more phishing and spam emails now. There's no reason to ever respond to phishing or spam; never do that again." I got a sheepish "Oh...I didn't think about that...Sorry..." at least.
Recent_Carpenter8644@reddit
So what should OP have done? Hung up as soon as they heard what they wanted?
Mindless_Consumer@reddit
On an inbound call, you ask who's speaking and what they want.
I this case google support has some bullshit.
You dont tell them anything then hang up and verify the information.
You'll never get scammed and scammers get very little to work with.
Honest support agents will understand and be helpful.
Ruevein@reddit
Seriously. I have to inform anyone in my firm that if they reply to a scam or phish email, they are now on a list of real working emails and to expect higher then normal phishing emails going forward.
I feel even just collecting and sellign a list of live emails is worth it for these scammers.
dcgrey@reddit
I've had to explain that to friends and family about phone scams from unknown numbers, when they say "Oh I like stringing them along, making them waste their time." First of all, you just wasted your own time. Second, they now know your phone number is active, answers unknown numbers, and is answered by someone with time to talk. That number gets commoditized with thousands of others and resold until either someone hits you with the right scam or you go a long time without answering their calls.
alpha417@reddit
Lol.
alpha417@reddit
Heads up: you answered a phone call.
...and we're done here.
Binky390@reddit
Thank you! Why do people answer unknown numbers? The only time I do is when I’m expecting a call which is rare.
Daphoid@reddit
Middle ground of not expecting a call because it's the receptionist for a medical referral your doctor put in months ago and they're calling you 4 months later to book an appointment in 2 months and if you don't pick up, sorry back of the line.
There are rare legitimate calls that come in from unexpected businesses and medical things that I actually would like to answer.
Binky390@reddit
That’s fair but those rare calls will leave a voicemail if it’s important so you can call back. If I get a call from an unknown number and they don’t leave a voicemail, I assume it was a scammer, cold call or telemarketer.
Daphoid@reddit
Fair. Though for me, telemarketers / scammers leave voicemails a lot. Not well intentioned ones, usually bots, but they definitely leave them :)
Binky390@reddit
I meant a real voicemail with important information that would identify the caller as someone you actually want or need to talk to.
stackjr@reddit
Eh. I answered a call today from an unknown number and I'm glad I did, it was to set up the next interview for a job.
To me, at least, I think the bigger part is: if you didn't initiate the call, do not give out any personal information.
Binky390@reddit
That would be expecting a call though.
stackjr@reddit
So I wasn't really expecting; I interviewed two weeks ago and just assumed they went with a different candidate. Of course, now I'm not sure I want the job.
Binky390@reddit
Congrats on the interview. But l would call that expecting still. If you’re actively job searching or just applied for a few, you’re expecting a call from an unknown number to follow up.
stackjr@reddit
Hmmm. I answered a random call from the hospital when the ex thought she was having a heart attack, does that count?
Honestly, I answer most calls but it's really easy (for me, at least) to tell if it's a scam. I also understand that's a "me" thing, though, and not everyone is the same and most people would be better just ignoring unknown calls.
Binky390@reddit
They would have left a voicemail or called again if it was important.
I never answer my phone. I tell people I’m a millennial and the majority of my career has been about answering phones. I’m not answering my own. I don’t buy a $1K phone for someone to call me on it.
alpha417@reddit
Id love for Verizon to allow us to set two ring tones by default. One for numbers in our phone book ( who don't already have distinctive ring), and another for numbers not in our phone book.
I almost had some traction with suggesting it to a port of Cyanogen mod like 15 yrs ago, iirc... it never went anywhere.
1Digitreal@reddit
Scammer rarely leave VMs. Don't answer your phone for unknown numbers.
TeeJee48@reddit
But it's so fun wasting their time!
ElCincoDeDiamantes@reddit
It's typically only slightly less terrible than slave labor, so their time cannot be wasted. Remember--all people live intricate and complicated lives.
When they text me, I try to talk to them and find out where they are from. I once spoke to group of boys in China who just wanted to "see the beautiful nature in the US". Sent them some photos of a trail or something, and they seemed to genuinely appreciate the conversation.
It started with the usual "oh, wrong number." But, i was just called them out and tried to be nice. They denied it, but then I just started going about how I hope they happy, etc. After that, the messages were far more broken english/no longer scripted, and they didnt try to sell me anything else.
OptimalCynic@reddit
It's not to waste their own personal time. It's to waste time they could have spent talking to Meemaw in Florida who's very concerned that the technical department of Microsoft might cut her off from the one remaining child who hasn't gone no-contact for political reasons.
TeeJee48@reddit
Yes this is exactly the point.
I don't care if the job sucks. I feel bad for the minority that are literally forced into it, but even then that doesn't make wasting their time a bad thing!
CatProgrammer@reddit
What would I do with a scammer's virtual machine anyway?
_oohshiny@reddit
Sandbox escape
IAmAGuy@reddit
I have the automated assistant turned on. I never have to deal with spammers now.
Illustrious_Ad9381@reddit
So those people trying to reach me about my car's extended warranty were legit? 😱
a679591@reddit
I miss those guys...
im-just-evan@reddit
They were too legit… too legit to quit.
IM_A_MUFFIN@reddit
HEY HEYYYYYY!
JollyGentile@reddit
My phone automatically screens any caller who isn't in my contacts. Saves me from untold nonsense.
Sir_Badtard@reddit
The thing I love about my pixel I can screen calls kind of like a live VM and I can just keep sending the auto robot responses to keep them on the phone as long as possible without talking to them by just hitting buttons.
OceanWaveSunset@reddit
I love when the AI answers, rejects them, and hangs up on them.
No voicemail and i get to see and/or listen if i want
Sore_Wa_Himitsu_Desu@reddit
Some of us have to answer unknown numbers for multiple reasons. So I’m glad to read about this.
Morkai@reddit
Yup, Apple and Microsoft MFA calls frequently come from a random assortment of numbers, but I suppose the benefit is I can watch out to only pick up random numbers within a few seconds of a login attempt to various services.
pifumd@reddit
I wish they didnt leave voicemails my mailbox stays full
Robulus@reddit
Just this week I've gotten 2 dozen calls from unknown numbers, only 4 have been flagged as spam by the carrier. 80% we're from my area code, 90% from area codes in my state. I didn't answer any of them and not a single one left a voice mail. If it weren't for my wife, I'd never answer the phone.
LaDev@reddit
This is why I LOVE call screening. I take maybe 5% of calls that hit my phone.
judyfatbooty@reddit
The ultimate Zero-Day vulnerability: Answering a call from an unknown number in 2026.
Daphoid@reddit
98% accurate, but I do feel for medical clinics / doctor offices, they'll be an unknown number, not always have caller ID, or worse be a private number. While I'm all for blocking and screening calls - I have had a few cases where its caused issues from legitimate businesses trying to call me.
Master-IT-All@reddit
Ya, my phone has been on mute since 2012.
What pisses me off about my mobile service, I can't actually deactivate the voice mail functionality. So every so often I have to call it and then 777777777777 delete without listening.
Pyrostasis@reddit
Oh boy.
St0nywall@reddit
I am sorry you are receiving so much hostility when you're only trying to do something good.
I am sure someone who doesn't know about this will be more vigilant in the future because of it.
Thank you OP.
TU4AR@reddit
You know there was a thread on /r/Linux on people needing to be nicer to other Linux users. The same can be true to fellow sysadmin.
No wonder why people think we are clueless shut in autism folk when we cant even have a what's up conversation.
It's crazy.
itishowitisanditbad@reddit
Responsibilities come with accountability.
If a guard keeps forgetting to lock doors, should they not get criticism for the possible severity of that fault?
This isn't happy play place for only positive thoughts.
Unfortunately apathetic people can cause livelihoods to be destroyed by their actions and reality exists. People should take things more seriously.
If thats controversial then oh well. I'll live.
TU4AR@reddit
A guard coming in and saying they that they saw something new to them shouldn't be met with ridicule.
Experience doesn't give a right to act callous to someone, infact I would wager that's why information technology managers and vp's seen robotic to some.
Having empathy to show the ropes creates a better work environment.
It's the same things that led to the Linux discussion of changing the mentality of RTFM or LMGTFY has created this unnecessary behavior of hostilitt to where no n one wants to share their issues in fear of being ridiculed.
itishowitisanditbad@reddit
"Prisoner today said they were wrongfully imprisoned and I should give them the keys.... guys? Is that legit? Should I?"
Bit dangerous. Should be met with appropriate concern that it wasn't understood better/quicker.
Yeah.
Despite many people still doing it?
I don't understand. Where are people no longer sharing issues?
TU4AR@reddit
So somehow you took what OP posted, and got that a prisoner said he shouldn't be in there?
Seems like you have bigger problems if that's what you took away from it.
itishowitisanditbad@reddit
No.
I was using an example with the context of our conversation and you deflected.
We were talking...
ok.
LTJC@reddit
Talked to the same kid. I just kept ringing him back over and over again. He picked up 10 times before he realized I had way more time on my sick day than he did and he finally blocked my number.
About a month later he called me back again. I said "Hey coinage kid, remember me!" Then laughed at him. He hung up in about 2 seconds. Haven't heard from him again.
By the way, the bounce email trick is old. Email headers should have shown the bounce happen (or further down the email chain) IIRC.
InnovativeBureaucrat@reddit
What does the bounced email look like? I would think it looks like a bounce but I guess it would be confusing if it has my name and his name
LTJC@reddit
I had hoped that someone would have responded by now. This is my mobile account and reproing the bounce and pointing it out isnt exactly easy enough that I want to put the effort in.
You can use telnet to send an email as any from address as you want. What they do is send an email to a fake address with your email as the spooked "from" address. Its built into the rfc protocol because back in the 90s they didn't think this would be an issue.
If there's really enough interest, I'll go through the process on my desktop and remove any PII to try and explain it in detail, but I am not some NetSec guru. Im just an old man who happened to "luck" into the beginning of the script kiddie days and has forgotten much more than I remember.
JerikkaDawn@reddit
I haven't run any on prem mail infra in a decade, but I do have DKIM/DMARC/SPF set up for our M365 domain. So take this as an honest question -- I didn't see it explained anywhere why Google is backscattering NDR before doing DKIM/DMARC/SPF on the incoming email in the first place?
Why send an NDR before checking if this is even forged? Is this a normal thing?
slickrickjr@reddit
"I shut him down too quick"
Pfft. Someone curses at me and I'm done.
Leviathon713@reddit
Dude. One thing right off is you assume someone's age. I talked to a customer in his 60's yesterday. I thought he would have been in his 30's.
I see a lot of assumptions here, but you started right off with one big one.
awhaling@reddit
Someone I know got this same one, we spent a long toying with us and wouldn’t admit it even though it was obvious we knew at that point. They just hung up lol
coalsack@reddit
It’s crazy people answer unknown numbers knowing that deepfakes can clone your voice with less than five seconds of audio.
murkr@reddit (OP)
I run a business. I answer my phone.
Trash_Golem@reddit
It is revealing to me how many posters in here post this opinion unironically and think they're making a good point. Holy hell. I wish I could ignore unknown numbers. Unfortunately, I have to be available to people who can have arbitrary numbers at times, sometimes even the general public. This is just the nature of my job.
Everybody in this subreddit already knows it's bad security practice to ever give out unnecessary information, including "this number is active and answered". That is obvious. Pointing that out isn't educating the OP, it's just showing how little responsibility you have. (Yeah, I went there! OOOOH!)
coalsack@reddit
If you have a smart phone both android and iPhone have features for automatically screening unknown callers. If that’s not an option for you, then I’m sorry you work for an organization that doesn’t respect your time or autonomy.
Let me know if you wanna swap credentials. I’d love to hear more about the size of the department you lead, what’s the major projects you’re overseeing, how often do you have to meet with the board, your capex and opex outlooks, the current budget you are responsible for.
I’ll show you mine :)
im-just-evan@reddit
Imagine running a business in this economy
Opposite_Bag_7434@reddit
This is a challenge. I have to answer my phone as well and there are many who also do.
Ferretau@reddit
One of problems is that in some countries the govt depts actually use blocked number and then require you the recipient to prove who you are ie. provide identity information before they will talk to you for privacy reasons - but don't provide an option for you to call them back on one of their officially published numbers to continue the conversation which just plays right into the hands of Scam operations doing the exact same thing - yet the same govt is warning people not to accept calls from blocked numbers and give out information.
gioraffe32@reddit
I have have friend whose GF works for a three letter agency. And sometimes she'll call him from her work phone. Probably because she can't have her cell phone in secure spaces.
Anyway, these calls shows up as "Restricted" on caller ID. So he doesn't normally pick up unknown numbers, but he figures that if it's during the middle of the day, and showing "Restricted," it's likely his GF.
fourpotatoes@reddit
Certain specialty pharmacies do this too, which is pretty annoying when you don't know in advance where your doctor & insurance carrier decided to send the script.
BigLeSigh@reddit
Your voice samples are everywhere. Online games, customer service call recordings, voicemail message..
NeighborGeek@reddit
I had a similar scam attempt claiming to be from Google workspace support, and they sent an email that looked completely legit. Checking the headers, it appears they used salesforce to send the message from servers authorized in googles SPF record.
Of course, when he got to the point of telling me he was sending a notification to verify my identity and told me what numbers to type in, I hung up on him, but it was interesting to hear the scam attempt and see the email verification. I forwarded the message and headers to abuse@google.com, but I doubt anything comes of it.
crangbor@reddit
I also had one the other week claiming to be trying to help protect my Gmail account. Same 2fa attempt and it came shortly after a legitimate alert that someone was trying to access it account from another country. Just like OP the caller sounded like some American dude in his 20s or 30s, which is admittedly what made it less suspicious to me at first.
Ferretau@reddit
I agree, the number of times I forwarded things to the Abuse@ address and it just seems to be ignored as the same scams and sources keep being used.
Opposite_Bag_7434@reddit
This has me wondering if the source was one of the providers that Google outsources to.
Pretty crazy how sophisticated so many of these are.
SystemAdminstrator@reddit
Wasn't me !
PlayingDoomOnAGPS@reddit
Unfortunately, the only actual humans who work for Google work in advertising and lobbying. User support is entirely robots and they won't care.
RCTID1975@reddit
If you can't tell the difference between an NDR and a legitimate email, why are you here?
murkr@reddit (OP)
I didnt fall for it. I guess I should be posting this on a different sub since I know none of you would fall for this either.
alpha417@reddit
How long were you on this phone call for?
johor@reddit
If they got his physical address then it was long enough for a good old internet backtrace. The internet police have been using them for decades.
alpha417@reddit
Good thing he was hiding behind the Gibson
InnovativeBureaucrat@reddit
Well I thank you for posting it
cultvignette@reddit
Don't let some of the others bother you. Single serving communities like this can tend to forget that we aren't all on the same knowledge level. Some of us are new.
I still have a hard time detecting some things as legit, and AI isn't making this any easier. No one here is as omniscient as they may think lol
cspotme2@reddit
So what does this ndr look like that looks so much like a real email? Post the screenshot and censor your info.
Peteostro@reddit
r/scams
kagato87@reddit
That one is referred to as "back scatterer." It's a real nuisance because the NDR is real, and to block it you need to be able to detect an NDR and correlate it with an outbound message.
I have d had to deal with that one in a very long time... Did the email not say "delivery failed to one or more recipients"?
Absolute_Bob@reddit
Just an FYI, there have been multiple cases of scammers actually breaking into homes to steal hardware wallets. I wouldn't put anything past them at this point. Also if you have a decent sized wallet it's a pretty good idea to use an email that's only used for that wallet and isn't associated with you in any other way. Why give them a free username?
ras344@reddit
I mean sure it's possible, but it seems a little silly to be worried about that. You're more likely to have someone break into your house and steal your PS5 or something.
Absolute_Bob@reddit
Depends on the size of your wallet. If your PS5 was worth $740k you'd probably be a bit more worried.
GreppMichaels@reddit
I spend real money with Google, Meta, and Tiktok for various web services and advertising. And it is incredibly hard to get my ad reps on the phone, and if those companies do call, I know very much in advance, and exactly who it is.
I doubt that is a common thing for most people.
Like the top comment says, the fact you answered the call, and it was "from Google" should have been the first and only red flag.
InterstellarReddit@reddit
This was good but not as good as the Robinhood one a few weeks ago. That class action is going to be something
jfoust2@reddit
At first I was hoping this would explain the recent rash of "Canceled event:" phishing scam emails out there.
disconnected_tech@reddit
At this point, I have no idea how my older family members haven’t been taken advantage of by scams like this. I’m sure it’s only a matter of time, but teaching them to not click on links in their emails and text messages is almost impossible.
KandevDev@reddit
the "real email from Google" version works because the attacker triggers a real "someone trying to access" email, then calls within 30 seconds while you are still reading it. you see Google sent it, trust the caller. mitigation: never trust an inbound call about an account, always hang up and call the official line.
Ferretau@reddit
Lol in Googles case good luck trying to find an official number.
KandevDev@reddit
good point, google support is famously a hold-mate experience. for personal accounts there is literally no phone number, you can only get to a real human via certain enterprise/workspace tiers. so the scam works partly because the "call the official line" advice does not apply to google specifically. just hang up and pretend they do not exist.
VexingRaven@reddit
Hi ChatGPT
The_Wkwied@reddit
You answered a random phone call and confirmed that your (presumably) private gmail account is associated with your phone number.
You then needlessly shared security details with a stranger.
OK, google for whatever reason bounced back a noreply to the email in the FROM field. What difference would that had made if they put ceo@contoso.com and google emailed that person?
All you really did is confirm your phone number is tied to your email is tied to your name, then through public records they can look up your identity and address.
?????????? Why would you even answer a phone call from a random? You know accents can be faked, right? I've spoken to a Sanjeev from 'Texas' and an Igor from 'Brooklyn'... and I'm told that I can apparently voice a Frenchman who can't speak English. You nearly got phished.
EduRJBR@reddit
This is so weird: we are close to a point where the sole point of a phone number, for people in general, is to provide some kind of ID for services like WhatsApp, and something still somehow attached to mobile data services. Something like this, I don't know.
Tymanthius@reddit
Someone's never heard of email spoofing.
improbablyatthegame@reddit
To be fair, 99% of training that users or non cyber folks are ever going to see (for now) won’t involve auto responder or DKIM replay attacks.
This would be tricky for a lot people if the person on the phone was a bit more patient or sophisticated
Tymanthius@reddit
Sure, but OP posted in a forum for Sysadmins. Supposedly he knows better.
improbablyatthegame@reddit
I would bet ALOT of non cyber folks would fall for a sophisticated DKIM replay or autoresponder attack. They far out side of training norms and legitimacy is only furthered by the passing of authentication. The biggest mistake was on the attackers part, if he had some patience and tact.. this could be been successful.
UnRealxInferno_II@reddit
These are the people getting jobs in this sector, terrifying
goldfingers05@reddit
I just had the same thing happen, but it was real.
They'll first send you an automated call asking you to press 1 to confirm the action, and if you reject it, they say an agent will call you shortly.
I guess that could also be spoofed, but during the call he sent an OTA to my phone to confirm my ownership and since I told them to lock my account down they changed my password and had me confirm a code sent by email using touchtone.
Long story short, if you're suspicious it's google, they will be able to prove their real and won't get mad.
Accomplished_Fly729@reddit
Was it your domain or your gmail thst he spoofed? Wouldnt dmarc reject stop the email spoofing from sending to the noreply google address?
improbablyatthegame@reddit
It’s a legit auto reply from google. All of that information would pass just fine.
oldfogey12345@reddit
You talked on the phone for how long?
You are a human security vulnerability and do not belong in tech.
improbablyatthegame@reddit
Psst, you too are human.
bdunn@reddit
Yeah I got this call too. Extremely convincing. Had me going for a few minutes, then I started playing along to waste his time.
murkr@reddit (OP)
According to the members of this group we should hang up our IT card for talking to a scammer for 3 mins lol.
I’ve never had an American scammer call me before so it was new to me.
calamityvibezz@reddit
Yeah some people here are acting like assholes but I think a refresher on current campaigns is always nice to hear!
bdunn@reddit
Yeah... it's Reddit. Everyone here is smarter than you, didn't ya know?
Anyone here saying that didn't hear the way this was done. Best I've ever heard before. I stayed on the call to waste his time mostly, but I also wanted to learn more about how this scam worked. I have a lot of people who count on me to help them avoid this exact kind of thing, and they would all fall for this one. Executed very well. I spent some time trying to work out how it was pulled off. The email turned out to be related to Google Checkout, but I don't remember all the details now.
ifpfi@reddit
I get all kinds of impersonation, phishing, scam, and just plain...disgusting emails from Google servers all the time. I have reported every one but they don't seem to care. We ended up blocking or tagging most of google's Email servers. Hopefully if enough people stop using them they will get the message, otherwise it's too big to fail.
Exploding_Testicles@reddit
I had a call like that, an American guy said my account was possibly compromised by someone logging in from Virginia. I asked "so which account, and when did google start calling people, usually they just email" he then just hung up. But he knew my name and number..
dogcmp6@reddit
Some one did something similar to a large number of Robinhood users recently
Like the email appeared completely legit, the links in the email looked legit, and the URL the site displayed was completely legit.
im-just-evan@reddit
Thing with the ones with the key tells is they are targeting a different subset of people, namely those with poor reading comprehension and grammar.
dogcmp6@reddit
I mean that makes sense...if your trying to target a sucker, make it something a sucker would fall for...filters their targets.
im-just-evan@reddit
Yep. They don’t want to waste time with people who will figure it out as time is money.
dogcmp6@reddit
Hopefully more people jump on the scambaiting trains soon, so many people are using freepbx or astriex to call or take calls from scammers and just send them to an AI model that acts as an almost perfect mark
im-just-evan@reddit
That would be amazing. We had to open a hole in our VoIP system and started getting flooded with spam calls from spoofed numbers from our location. Finally got the guys to put the lines on mute when the get such a call and it’s quelled the shitstorm. We were, at peak, getting 60-70 calls a day.
progenrule@reddit
getting sneakier every month
dnuohxof-2@reddit
And to /r/ShittySysAdmin we go
saltyslugga@reddit
That's backscatter/autoresponder abuse, not an account compromise. Passing SPF/DKIM/DMARC only proves the auto-reply was legit, not the thing that triggered it.
Report it through the provider's abuse/security channel with full headers, caller number, timestamp, and the exact subject they injected. The real fix is on them: stop reflecting attacker-controlled subject lines back to arbitrary forged senders.
ComplexAd2408@reddit
Common scam tactic that should be getting harder and harder to pull off these days, Sender Spoofing
GriffGB@reddit
Wouldn’t it have replied to you with an NDR email, not a support type email.
coldazures@reddit
Cool story bro.
mr_lab_rat@reddit
Of course real Google Support would just randomly call you.
edthecat2011@reddit
why u answer random phone calls?
battmain@reddit
I remember watching a YouTube video once where I didn't recall any personal info being provided to the scammer, but just based on innocent yes/no questions the scammer got all they needed. Was actually a little surprised.
On a different topic, reading cyber security and hacker News just makes one want to put down the smart phone and laptop. AI just makes finding the holes quicker now.
crazyarky300@reddit
This isn’t good!! A lot of people will fall for that.