A X.com user, @ddd1ms with the name Dmitry Smilyanets, has raised an alarm on the X platform concerning a new and sophisticated phishing scam targeting users of Google Cloud. This isn’t like the typical spam email in your spam folder.
It’s being executed via multiple channels, such as phone calls (bad actors impersonating legitimate firms), personal emails, and via web pages. The sole aim is to fetch your credentials as well as other sensitive details.
This malicious activity stands in stark contrast to Google’s own initiatives to enhance user security, such as its upcoming VPN service for Google One customers.
The scheme behind the scene
The scam begins with a “fake” representative of Google Cloud Support calling you on the phone, identifying themselves as a Google Cloud Support representative. The caller seems knowledgeable and sounds as if they are a part of Google Support; they know your name, and they reference what they claim is a specific case number (I.E. “123456”) related to a “problem with your account.”
After the call, a follow-up email is sent that appears to come from Google Cloud Support that has the same formatting as Google Cloud Support messages. Many email links will appear to come from the same domain that Google Cloud uses, making it very difficult for recipients to tell if they are legitimate.
What’s in the follow-up Mail
The email uses a Google Cloud-branded template, presents a professional format, and assigns an official case number. Dmitry reported receiving an email referencing case #66568145 and allowing them to log in to the Google Cloud support portal to see more details about their case.
The emails also have links appearing to lead users to the standard Google Cloud Console at console[.]cloud[.]google[.]com or similar domains to Google’s. The link may fool even normally careful users, because it doesn’t point to the Google character string. Instead, it uses slight variations in spelling or domain names that users can detect only with careful scrutiny.
If you were to click on one of these email links and submit your login information, you would have just handed over access to your Google Cloud account. Once the phishers have access to your account, they can access all of your projects, files, billing information and all other Google Cloud resources.
What to Do
First, Google will NEVER initiate contact across unsolicited phone calls regarding a technical issue on a user account. Therefore, any of such calls will likely be an attempt to defraud you. As such, always verify any support contacts.
Avoid using the phone number or website sent to you via the email or any phone call you receive. Best practice is to go to your Google Cloud Console via the official site and search for notifications regarding your account.
Again, observe URLs thoroughly before clicking. Subtle misspellings or extra characters are common tricks. Thus, hover your cursor over the links to see where they will take you if you clicked on it.
Additionally, use Two-Factor Authentication (2FA) on your Google Cloud Account. If someone gains access to your account but does not complete the second stage of verification, they will lose access.
If you receive suspicious phone calls or emails that appear to be from Google Support, please report these through the Google Support reporting process using the links listed on their website. For a comprehensive guide on recognizing and defending against these kinds of threats, review our detailed explainer on phishing emails and how to protect yourself.
