Hackers Use AI to Steal Gmail Recovery Codes in Devastating New Scam

Gmail users worldwide have been put on high alert after cybersecurity experts identified a new AI-driven scam targeting Google account recovery codes. The FBI and cybersecurity firm Malwarebytes have issued fresh warnings as more people fall victim to the highly convincing phishing attack.

The scam, which combines fake phone calls and emails, tricks users into handing over recovery codes—giving hackers complete control of their accounts. Experts warn that financial losses, identity theft, and personal data breaches are at stake.

How the Gmail Scam Works

1. You receive a phone call from someone claiming to be from Google, warning that your Gmail account has been compromised.
2. At the same time, you get a “Google” email asking you to verify your account by providing a recovery code.
3. Hackers request a real recovery code from Google, which is then sent to you via SMS or email.
4. You provide the code to the scammer, believing it’s needed to secure your account—but in reality, it hands over complete access.
5. Once inside your Gmail, hackers can reset passwords for linked accounts, including banking apps, cloud storage, and social media, leading to potential financial and personal data theft.

Experts warn this method is highly effective because it removes the usual red flags found in phishing scams, such as bad spelling or unusual email addresses. AI-generated messages now look and sound completely authentic.

FBI and Google Issue Urgent Advice for Gmail Users

Cybersecurity experts warn that once criminals gain access to Gmail, they can infiltrate Google Calendar, Google Drive, Google Photos, and any services linked to the account—potentially revealing sensitive financial data, home security details, and even travel plans.

How to Protect Yourself From the Scam

Enable Multi-Factor Authentication (MFA)—Ensure you use Google Authenticator or security keys instead of SMS recovery codes.

Never Share a Google Recovery Code—Google will never ask for it over the phone or email.

Avoid Clicking Links in Emails—Always go directly to Google’s security page to check your account status.

Use a Password Manager—Programs like 1Password, LastPass, or Apple Keychain autofill credentials and prevent phishing attempts.

Regularly Check Your Account Activity—Look for unusual logins and enable Google’s security alerts.

Activate Spam and Scam Call Filtering—Block unknown numbers on your phone to avoid AI-generated scam calls.

Criminals Are Using AI to Make Scams More Convincing

The FBI has warned that criminals are now leveraging AI to create realistic voice and video messages, imitating real Google representatives.

“These scams are becoming increasingly sophisticated and convincing,” said Robert Tripp, FBI Special Agent in Charge. “Hackers are now capable of cloning voices and sending fake recovery emails that look 100% real.”

“If criminals steal your recovery code, they don’t just get your Gmail—they gain access to your entire Google account, which could be catastrophic,” said Pieter Arntz, Malware Intelligence Researcher at Malwarebytes.

Growing Threat: AI-Powered Phishing and Identity Theft

Cybersecurity experts warn that AI-powered fraud is rising at an alarming rate.

Fake websites are also being used to trick people into entering their email and password—giving scammers direct access.

Hackers are selling stolen Gmail accounts on the dark web, with some accounts fetching up to $500 each due to the valuable linked services.

Google has increased security measures, but users must stay vigilant and proactive.

Final Warning: Stay Alert and Spread the Word

Gmail users are urged to take immediate precautions to secure their accounts. If you receive a suspicious call or email, report it to Google, the FBI (for US users), or Action Fraud (for UK users).

Do not share recovery codes, click suspicious links, or trust unsolicited calls claiming to be from Google.

Share this article to warn family and friends!