Google Voice Authentication Scam Leaves Victims on the Hook | Threatpost

Fluffy is missing.

You post your lost pet’s photo online, hoping that some good Samaritan will find Fluffy, listing your phone number and crossing your fingers.

You get a text or email from somebody who thinks they’ve found Fluffy – or, say, somebody who wants to buy that scruffy old couch you posted for sale on Craigslist.

The purported lost-pet-finder/old-couch-aficionado tells you they don’t want to get scammed, though. They’ve heard about fake online listings and want to verify that you’re a real person and not a bot, or they might say that they want to verify that you’re the pet’s true owner.

So they tell you they will send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you’re real.

In reality, they’re setting up a Google Voice account in your name, using your phone number, and the “authentication” code is actually the two-step verification code needed to complete the set-up process.

There are a growing number of scammers are rolling out this Google Voice scam — to the point where the FBI was moved to issue a warning about them this week.

Why Google Voice?

The Google Voice service offers virtual phone number that can be used to make domestic and international calls, or send and receive text messages from a browser. That account can be used to launch any number of scams, the FBI said, all without the ability to be traced directly back to the scammer. As well, the code can be used to gain access to, and hijack, Gmail accounts.

The scammers often use the Google Voice number in fraudulent ads on marketplace websites or for other criminal activity, hiding their true identity and leaving the victim looking like the guilty party. Sometimes the scammers are also looking for other information about the target that they can use to access online accounts or open new accounts in the victim’s name.

Although the message Google sends out warns recipients not to share the number with anyone, in at least one case, the scammers disguised the message by having it sent in a foreign language. As Nerd Wallet reported last month, journalist Kelly Rissman of New York, who had listed furniture for sale, got contacted by a scammer. A six-digit code from Google followed quickly, along with something written in Filipino. Had she translated it, she would have seen that it read: “—— is your Google Voice verification code. Don’t share it with anyone else.”

Google Voice verification code. Source: FTC.

Anatomy of a Google Voice Scam

As the Federal Trade Commission (FTC) explained in October, this is how a Google Voice verification code scam typically works:

This is a tough scam to detect, given that targets aren’t asked for personal data or account numbers, and, as Rissman noted, she hadn’t forked over any way to steal her identity or her money.

As of September, the Identity Theft Resource Center (ITRC) reported that the scam is booming: nearly half – 49 percent – of the complaints they received in the prior month were about the Google Voice scam.

How to Avoid the Google Voice Scam

The FBI offered these ways for consumers to protect themselves from falling victims to such gambits:

Image courtesy of Cory Doctorow. Licensing details.

Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.