This was done to me. They even called me imitating google security team by using google assistant feature and using a free trial to register my own phone number as the business name then calling via Google to get assistant to call me repeatedly showing up as google. Eventually I picked up as I was also get simultaneously account recovery requests on my gmail. AND they sent me DKIM verified emails that appear to come from google themselves. I recorded the phone conversation if LE might be interested. The combination of there existing an account on workspaces, verified emails, and spoofed google caller ID from numbers that superficially appear to be actually google numbers - you have to read closely that they are Google Assistant numbers! was pretty convincing initially, they had be for a few minutes on the call. And they tell you your account is having it’s phone number changed, we need to do something now or it will take a long time to recover it. I didn’t fall for it but then I pretended I was and put on a big show. I have a long recording with their voice and timestamps of everything.
Anyway the incident shook me as they also gave me my personal information to prove they are real and it was accurate and kept saying look we aren’t asking you for information we are telling you yours so you see we are Google Security!
It has triggered for me a giant project to carefully review all my attack surfaces across all accounts and systems.
replies(2):