Update, May 8, 2025: This story, originally published May 7, has been updated with a statement from Google concerning the latest Gmail impersonation attack as detailed by a Reddit user, along with information on recovering access to a hacked Google account.
Your Gmail account is under attack from those who would compromise it, lock you out, and then use the resources within to stage further attacks against you and your contacts. Everything from security alert email notifications, infostealer malware campaigns, and 2FA bypass attacks are employed by malicious cybercriminals looking to access your Google account. Now, a Reddit user has warned about a hacker that tried to get them to part with their 2FA code as part of an elaborate Gmail verification attack. Here’s what you need to know and do to ensure you don’t lose your account.
The Gmail Account Recovery 2FA Code Attack Explained
Employing phony technical support or security team alerts in an attempt to convince someone to hand over their account credentials is not a new wheeze that has just been dreamed up by a forward-looking hacker. Heck, I was doing precisely this as part of social engineering campaigns against clients, with their permission, twenty years or more ago. Impersonation is the greatest form of flattery, and the easiest way to convince someone to give you what you want. Only last year, I penned a report that went viral describing just such a scam, involving emails and AI-powered phone calls in an attempt to relieve a thankfully technology-savvy target of their account credentials. But old never gets old, especially when it evolves and is successful. One Redditor has now warned other users in the Gmail subreddit of a similar attack they have just experienced firsthand using an evolved account recovery 2FA code verification method without the AI component and involving a human hacker on the other end of the line.
Going by the name of EvilKittensCo on Reddit, the poster explained that they had been on the receiving end of a telephone call from someone purporting to be a Google support agent. The caller explained that they needed to verify his Gmail recovery details in order to make changes to the account that had been requested. The rationale was that the original owner of the account needed to verify the information, or the requested changes would take place. If you think about it, that’s red flag number two right there: if the original owner didn’t verify the account recovery information then surely the changes would not be made. If you are wondering what the first red flag is, it’s simply that Google will not call you out of the blue like this. Not ever. Nope. It just won’t happen. If it does, it is a scam.
I reached out to Google and a spokesperson issued the following statement: “This is a known scam targeting a limited number of users – we have no evidence it’s a wide-scale tactic. We’ve hardened our defenses to protect users from this type of abuse and suspended accounts that have misused Google services in these scams. But we encourage all users to remain vigilant – please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues.”
Don’t Give A Gmail Support Caller Your Account Recovery 2FA Code
EvilKittensCo was suspicious and asked “Google” to call them back from a Google telephone number, and they did, or at least they called from a number that is associated with Google Assistant when searched for. To cut a long story very short, the sting is to try and get the victim to send a 2FA Gmail account recovery code that will be sent. Doing so will then enable the hacker to access the account and make the necessary changes to lock the legitimate owner out.
EvilKittensCo checked their Google account online and told the “support agent” that no recovery notifications were showing as pending. This only got the scammer agitated, and they insisted they were trying to stop a Gmail hack, not initiate one. They soon, of course, hung up.
The Redditor did everything right in this case. To mitigate the risk of becoming a victim, however, as well as remembering that Google support will not call you like this, no matter how genuine they sound, you should follow the advice of Gmail spokesperson Ross Richendrfer. “Use phishing-resistant authentication technologies, such as security keys or passkeys,” Richendrfer said. A Gmail passkey is very easy to implement and will stop such an attack dead in its tracks.
How To Regain Access To A Hacked Gmail Account
If you are unfortunate to have fallen victim to this, or any other scam that results in your Gmail account being hacked, the password and recovery email and telephone number changed, and so effectively get locked out, don’t panic. All is most certainly not lost.
The most important thing is to be proactive and prepare for the worse before it happens. Google’s Richendrfer recommends that all Gmail users “set up a recovery phone as well as a recovery email on their account,” which can then be used where an attacker changes credentials or even if you just forget your own password. Yes, that happens, and here’s a big hint to prevent it: use a password manager, m’kay. Anyway, back to the point, as you are the legitimate and original Google account holder, you get a whole week, seven days, in which you can regain control of that account even if an attacker has changed your recovery telephone number. “Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” Richendrfer said, “provided they set them up before the incident.”
To add or change a recovery phone number or email on Android, open your device settings app, hit Google, followed by your name, and the Manage your Google account option. Now head for the security section, where it says “how you sign into Google,” and you can select options for a recovery phone or recovery email. You will likely be asked to sign in before getting any further, but the selection process is very straightforward and takes no time at all. You can find more details on recovering a Google account following a successful Gmail hack here.
