Beware this message — it’s an account hack.
dpa/picture alliance via Getty Images
Updated on Dec. 10 with a new warning these attacks are now surging 449%.
America’s cyber defense agency now warns Google, Microsoft and Apple users to secure their accounts — change passwords, remove SMS two-factor authentication and add passkeys. But hackers are quickly evolving their attacks. Even a message from Google, Apple or Microsoft may be an attack, as hackers target your accounts.
Apple warns attacks now use “sophisticated tactics to persuade you to hand over personal details such as sign-in credentials (and) security codes.” Last month, these tactics made headlines, with hackers triggering automated Apple security messages at the same time as calling the target, pretending to be from Apple Support.
Google Account holders face the same threats. One Redditor has just asked how an attacker can “send Google Security Prompts directly to my phone?” The answer is that anyone can initiate an account recovery process for your address. That’s why these prompts tell you to ignore the message unless you triggered it yourself.
ForbesApple’s iPhone Security—Even Putin Can’t Beat iMessageBy Zak Doffman
But in this case — just as with the recent Apple attacks — there was a person on the phone from “Google’s security team” at the same time. It’s that combination — an attack mixed with automated, legitimate messages that’s the convincer. Then the caller asks you to read out one of these automated codes, and you lose your account.
It’s easy to stay safe. “If you get an unsolicited or suspicious phone call from someone claiming to be from Apple or Apple Support, just hang up,” says Apple. And Google says exactly the same. “Please reiterate to your readers,” the company asked me, “that Google will not call you to reset your password or troubleshoot account issues.”
It really is that simple. If you get the call, it’s an attack.
As for unexpected security prompts, if you have not initiated an account recovery process or clicked to reset a forgotten password or changed a device, then you must ignore the prompts or messages. Do not click. Do not share codes via email, text or call. Do not engage with anyone contacting you at that same time. It’s always an attack.
With perfect timing, a new Microsoft warning adds to the recent Apple and Gmail alerts for this devious kind of attack. Per SpiderLabs, “we’ve analyzed an attack chain starting with social engineering and ending with fileless malware execution.”
ForbesGmail, Outlook, Teams And Slack Users Now At Risk From ‘Uncontrolled Threat’By Zak Doffman
The security team explains that a victim “receives a Teams call from an attacker impersonating Senior IT Staff (spoofed display name). The Attacker convinces user to launch QuickAssist. ~10 mins later: Redirected to ciscocyber[.]com/verify.php. (Then) ‘updater.exe’ deployed (disguised as legitimate updater).”
GBHackers explains that “the infection sequence begins via a social engineering vector in which threat actors impersonate Senior IT Staff by spoofing display names in Microsoft Teams call notifications. Victims receive unexpected calls from what appears to be legitimate internal IT support personnel.”
In a Dec. 10 report, KnowBe4 says that while voice attacks (vishing) “remains at relatively low levels versus other payloads, with the rise of deepfakes it’s emerging as part of hyper-targeted kill chains that make the risk both personal and technical.”
And this has been proven in the real world, with vishing “reported as a successful tactic in the kill chain for the Scattered Spider criminal gang and their affiliates during their onslaught of attacks on retail and manufacturing giants worldwide.”
That’s the real message, this use of multiple parallel channels to execute an attack — a concerning shift to these so-called “multi-step kill chains” is set to accelerate in 2026.
ForbesGoogle’s Android Lockdown—Attacks Have Started, Act NowBy Zak Doffman
“Attackers combine email, messaging apps, and voice to build credibility and bypass defenses,” KnowBe4 told me. “Vishing has surged 449% year-over-year, driven by AI-generated deepfake audio that increases the sophistication and effectiveness of impersonation attacks. Once a niche tactic, vishing is now a highly effective, AI-enhanced element of modern social engineering campaigns.”
Little surprise that Microsoft’s Teams roadmap now includes a quick option to report a suspicious call, due to go live in February. This will let users “flag calls they believe are unusual or suspicious. When a call is reported, the signal helps Microsoft strengthen security measures and reduce future unwanted or malicious call activity. This feature empowers users to actively contribute to real-time threat detection.”
Beware — this type of attack is only going to get worse.
Do not take these calls. Period.