“Hi, this is Alex from Google Security. We’ve detected suspicious activity on your account—someone may be trying to change your recovery phone number and email address. We need to secure your account right away.”
BTW – I get at least one of the calls each week. They never give up! Did you catch the sense of urgency the caller used? It’s a technique to scare you.
The caller sounded professional. Perfect English. Calm, not robotic. The victim—let’s call him “Nick” 😉—had just been checking his Gmail. Everything seemed fine… until it wasn’t.
“Did you receive a Google verification notice just now?” the caller asked.
Nick glanced at his phone. A 6-digit code had just popped up from Google. Then another. The caller continued:
“We’re locking the account down now. Can you just accept that MFA on your phone so we can validate it and continue to protect your account?”
🎭 The Anatomy of this MFA Scam
This scam has been making the rounds lately—and it’s catching even savvy users off guard. Here’s how it works:
- The attacker already has your Google password—likely from a past data breach.
- To bypass your MFA (multi-factor authentication), they need your help to approve or relay the code.
- By impersonating “Google Security,” they trick you into sharing the code… and just like that, they’re in.
Once logged in, the attacker changes the recovery email and phone number, locking you out for good.
🛑 Google Will NEVER Call You
Google has made it clear: they will never call you to discuss security issues or MFA codes. If someone calls you saying they’re from Google and asks for a verification code or asks you to approve some action—it’s a MFA scam.
Even worse, these scammers are evolving. No bad accents. No poorly written emails. They sound local, confident, and professional. Caller ID may even show a California number or say “Google.” It’s all fake.
👁️🗨️ What You Should Do
- Never share MFA codes—even if the caller claims to be “support.”
- Never accept an unexpected MFA alert on your phone or desktop. DENY IT!
- Don’t trust caller ID. Numbers can be spoofed to look legitimate.
- Go directly to https://myaccount.google.com to check your security settings.
- Enable Google Prompt or a hardware key for MFA—these are harder to exploit.
- If in doubt, hang up. Then check your account yourself.
- Change your Google password to be safe if the bad actor does have your password.
🎯 Final Thought
Cybercrime isn’t always about hacking—it’s about manipulating your trust. So the next time someone says “This is Google Security calling,” remember: real security never asks for your secrets. Only attackers do.
Share your stories about your experiences with phone scams in the comments and let’s make our community safer. Contact Caldera Cybersecurity Services if you need help in securing your business.
