Google Voice Authentication Scam Leaves Victims on the Hook

The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week.

Fluffy is missing.

You post your lost pet’s photo online, hoping that some good Samaritan will find Fluffy, listing your phone number and crossing your fingers.

You get a text or email from somebody who thinks they’ve found Fluffy – or, say, somebody who wants to buy that scruffy old couch you posted for sale on Craigslist.

Infosec Insiders Newsletter

The purported lost-pet-finder/old-couch-aficionado tells you they don’t want to get scammed, though. They’ve heard about fake online listings and want to verify that you’re a real person and not a bot, or they might say that they want to verify that you’re the pet’s true owner.

So they tell you they will send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you’re real.

In reality, they’re setting up a Google Voice account in your name, using your phone number, and the “authentication” code is actually the two-step verification code needed to complete the set-up process.

There are a growing number of scammers are rolling out this Google Voice scam — to the point where the FBI was moved to issue a warning about them this week.

Why Google Voice?

The Google Voice service offers virtual phone number that can be used to make domestic and international calls, or send and receive text messages from a browser. That account can be used to launch any number of scams, the FBI said, all without the ability to be traced directly back to the scammer. As well, the code can be used to gain access to, and hijack, Gmail accounts.

The scammers often use the Google Voice number in fraudulent ads on marketplace websites or for other criminal activity, hiding their true identity and leaving the victim looking like the guilty party. Sometimes the scammers are also looking for other information about the target that they can use to access online accounts or open new accounts in the victim’s name.

Although the message Google sends out warns recipients not to share the number with anyone, in at least one case, the scammers disguised the message by having it sent in a foreign language. As Nerd Wallet reported last month, journalist Kelly Rissman of New York, who had listed furniture for sale, got contacted by a scammer. A six-digit code from Google followed quickly, along with something written in Filipino. Had she translated it, she would have seen that it read: “—— is your Google Voice verification code. Don’t share it with anyone else.”

Google Voice verification code. Source: FTC.

Anatomy of a Google Voice Scam

As the Federal Trade Commission (FTC) explained in October, this is how a Google Voice verification code scam typically works:

  • A criminal downloads the Google Voice app and links it to a Gmail account.
  • They find victims by checking out online marketplaces, looking for people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding a lost pet and have been known to run the scam on dating sites.
  • They say they’ve been burned in the past by bots and ask the seller/pet owner to accept and text back a code to prove they’re a real person.
  • When the victim texts the code back, the scammer can link the Google Voice number to the victim’s authenticated phone.

This is a tough scam to detect, given that targets aren’t asked for personal data or account numbers, and, as Rissman noted, she hadn’t forked over any way to steal her identity or her money.

As of September, the Identity Theft Resource Center (ITRC) reported that the scam is booming: nearly half – 49 percent – of the complaints they received in the prior month were about the Google Voice scam.

How to Avoid the Google Voice Scam

The FBI offered these ways for consumers to protect themselves from falling victims to such gambits:

  • Never share a Google verification code of any kind with others.
  • Only deal with buyers, sellers and Fluffy-finders in person. If money is to exchange hands, make sure you are using legitimate payment processors.
  • Don’t give out your email address to buyers/sellers conducting business via phone.
  • Don’t let someone rush you into a sale. If they are pressuring you to respond, they are likely trying to manipulate you into acting without thinking.

Image courtesy of Cory Doctorow. Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.

Suggested articles