Just got hit with a pretty sophisticated social engineering attempt tonight and wanted to share it while it’s fresh because the email mechanic alone is worth talking about.
Got a call from a Mountain View, CA number. An AI-sounding woman asked for me by name, already knowing my phone number and general location. She said she was from Google and that someone had initiated a full account transfer and wanted to know if that was me.
It wasn’t, and in that moment I was pretty sure I was talking to an AI. I started probing.
She told me a phone number had initiated the transfer using my identification to get into the account. I pulled up my Google account on a separate laptop I know is clean and, as expected, zero security alerts. Nothing.
As I kept asking questions the story started falling apart. She told me that due to the nature of API keys, the attacker likely still had a copy of my “Login API Key” and that I should go through a password change with her on the line. I declined.
Then came the closer. Once I changed my password with her on the line, they would place a 48 hour security lock on my account as a protective measure while I contacted the credit agencies to freeze my credit. Think about that for a second. They weren’t just after my Google account. They wanted me locked out of everything while they worked, and they were going to have me freeze my own credit thinking it was my idea. By the time 48 hours passed I would have handed them full access and voluntarily removed one of the first tools I’d use to detect fraud.
Here’s where it got interesting. I interrupted her mid-sentence at one point and her voice just stopped. Hard stop. No overlap, no stumble, just silence and then a resume. That’s an AI voice model. Human callers fumble through interruptions. AI cuts the moment it detects incoming audio.
They weren’t happy when I declined but said they’d send me an email to verify this was really Google. I asked how I could confirm it. She said it would come from [email protected].
The email showed up almost instantly. Looked completely clean. And technically it was. SPF pass. DKIM pass. DMARC pass. Legitimately sent from Google’s infrastructure.
Here’s where it gets interesting. They own cases-goog.com and almost certainly have a Google Workspace account on it. I can only assume they found a way to add my Gmail address as a contact or CC recipient when opening a real Google support case, triggering an authenticated notification from Google’s own systems straight to my inbox. I haven’t confirmed the exact mechanic but the result speaks for itself. Fully authenticated. Completely real. They didn’t spoof anything or forge anything. They just knew how Google’s own support infrastructure works and used it as a delivery mechanism.
The only thing that gives it away is the subject line, which Google obviously didn’t write. “Google Support: Case# 9281871 - You are currently on the phone with Carol Smith - (XXX) XXX-XXXX.” No legitimate support system generates a subject line that says you’re currently on the phone with someone. That was their case title. They named it that.
What makes this scarier is that they didn’t need any interaction from me to trigger it. They just needed my email address. They could send that to anyone.
When I finally told her I wasn’t doing anything with my account, she sounded genuinely deflated. That’s the human underneath. A lot of these operations are hybrid, a real person running the script using an AI voice to sound professional and keep a consistent persona. The emotion at the end leaks through.
A few things worth keeping in mind:
- If you think you’re talking to an AI, interrupt it mid-sentence with something random. Watch for that hard stop. Human callers stumble. AI cuts.
- When someone sends you an email to “prove” they’re Google, check the subject line. Google doesn’t write your case notes for you. If the subject references a phone call you’re currently on, someone else wrote that.
- If anyone on a support call asks you to change your password while they stay on the line and then mentions any kind of account lock or suggests you contact credit agencies, hang up immediately. The lock is the point. They want you out of your own accounts and away from the tools you’d use to catch them in the act.
- Google almost never calls you first. If they somehow do, they will never ask you to change your password while staying on the line. That’s not how any legitimate support works.
Stay vigilant. If they’re using “Login API keys” as a script today, imagine what they’ll be using tomorrow.
8 out of 10 stars.