Google Voice Authentication Scam Leaves Victims on the Hook

The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week.

Fluffy is missing.

You post your lost pet’s photo online, hoping that some good Samaritan will find Fluffy, listing your phone number and crossing your fingers.

You get a text or email from somebody who thinks they’ve found Fluffy – or, say, somebody who wants to buy that scruffy old couch you posted for sale on Craigslist.

Infosec Insiders Newsletter

The purported lost-pet-finder/old-couch-aficionado tells you they don’t want to get scammed, though. They’ve heard about fake online listings and want to verify that you’re a real person and not a bot, or they might say that they want to verify that you’re the pet’s true owner.

So they tell you they will send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you’re real.

In reality, they’re setting up a Google Voice account in your name, using your phone number, and the “authentication” code is actually the two-step verification code needed to complete the set-up process.

There are a growing number of scammers are rolling out this Google Voice scam — to the point where the FBI was moved to issue a warning about them this week.

Why Google Voice?

The Google Voice service offers virtual phone number that can be used to make domestic and international calls, or send and receive text messages from a browser. That account can be used to launch any number of scams, the FBI said, all without the ability to be traced directly back to the scammer. As well, the code can be used to gain access to, and hijack, Gmail accounts.

The scammers often use the Google Voice number in fraudulent ads on marketplace websites or for other criminal activity, hiding their true identity and leaving the victim looking like the guilty party. Sometimes the scammers are also looking for other information about the target that they can use to access online accounts or open new accounts in the victim’s name.

Although the message Google sends out warns recipients not to share the number with anyone, in at least one case, the scammers disguised the message by having it sent in a foreign language. As Nerd Wallet reported last month, journalist Kelly Rissman of New York, who had listed furniture for sale, got contacted by a scammer. A six-digit code from Google followed quickly, along with something written in Filipino. Had she translated it, she would have seen that it read: “—— is your Google Voice verification code. Don’t share it with anyone else.”

Google Voice verification code. Source: FTC.

Anatomy of a Google Voice Scam

As the Federal Trade Commission (FTC) explained in October, this is how a Google Voice verification code scam typically works:

  • A criminal downloads the Google Voice app and links it to a Gmail account.
  • They find victims by checking out online marketplaces, looking for people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding a lost pet and have been known to run the scam on dating sites.
  • They say they’ve been burned in the past by bots and ask the seller/pet owner to accept and text back a code to prove they’re a real person.
  • When the victim texts the code back, the scammer can link the Google Voice number to the victim’s authenticated phone.

This is a tough scam to detect, given that targets aren’t asked for personal data or account numbers, and, as Rissman noted, she hadn’t forked over any way to steal her identity or her money.

As of September, the Identity Theft Resource Center (ITRC) reported that the scam is booming: nearly half – 49 percent – of the complaints they received in the prior month were about the Google Voice scam.

How to Avoid the Google Voice Scam

The FBI offered these ways for consumers to protect themselves from falling victims to such gambits:

  • Never share a Google verification code of any kind with others.
  • Only deal with buyers, sellers and Fluffy-finders in person. If money is to exchange hands, make sure you are using legitimate payment processors.
  • Don’t give out your email address to buyers/sellers conducting business via phone.
  • Don’t let someone rush you into a sale. If they are pressuring you to respond, they are likely trying to manipulate you into acting without thinking.

Image courtesy of Cory Doctorow. Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles

Discussion

  • Mara orten on

    Good app
  • Nas x on

    This literally just happen to me as a food delivery driver. They ask if someone signed in on another device today using my account. Long story short i read the verification number backed that was sent to me and i thought we were fixed. , We hung up i new something didn't make sense and they change the phone number under my delivery account, to a google voice number. I call the real people back from my actual delivery company and they were confused (not a good sign) They insisted my number was the one that the hackers switch and i must had made a mistake after 1700 delivery's, then I got on the phone AJ at the same delivery comany and he new his shit i was now with someone who new what they were doing and we handed it. There were 3 different google voice numbers involve in the scam, the number that called, 484 area code, the text verifi number was a (213) area code and that number i dont think was a google number, and the fake number that took over in my account settings was a (650) area code. So keep a eye on all those area codes that you dont reconize and if you do answer feel free to give them all the time they need but make sure they get enough info out of you to tie their shoes
  • NJL on

    Is there any way to get out of the Google Voice TRAP. I got SCAMMED on Jan 9, 2022. I've read 5 different articles from Google trying to figure out how to recover my phone #. AAARRRGGGG.
    • JP on

      I too just got scammed. Have you had any luck fixing it and getting your number back?
  • JP on

    NJL, I just got scammed too. Any luck figuring it out?
  • Jkp on

    [external link removed] You have to reclaim your phone number from your own Google Voice account. It happened to me.
  • Daniel gilad on

    Anyone has a solution for this? It just happened to
  • Anonymous on

    I got the 6 digit scam but don't have a Google voice account. Am I on the hook.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.