Gmail users are being urged to stay alert after a new scam emerged that tricks victims into handing over account recovery codes. Security firm Malwarebytes has warned that hackers are sending emails or making phone calls pretending to be from Google Support, claiming an account has been compromised.
The scam involves the attacker sending a password reset request to the victim's account, which generates a legitimate security code from Google. The victim is then asked to read out this code to the fake support agent, who uses it within seconds to hijack the account. Malwarebytes explained that the victim enters their login credentials on a fake reset page, and the code is used to verify the attacker's control.
Some users have reported being targeted. One Reddit user described a call where the scammer asked them to verify the phone number by hanging up and calling it back. The number appeared legitimate but did not connect to a human agent. The user said: 'He was trying to actively recover my account and steal possession of it, while on the phone with me.'
Google has confirmed it does not offer phone support for Gmail and never asks users to provide security codes over the phone or via email. In a statement, the company said: 'These contacts and their websites have no affiliation to Google and may claim to provide password reset assistance... Google does not charge users to recover their account credentials or change their password.'
Users are advised never to share account recovery codes, and to ignore any unsolicited calls or emails claiming to be from Google support. If in doubt, users should go directly to Google's official help pages.
