About a day ago I started getting SMS security codes from Google that I hadn’t asked for. So far I’ve had about 30. They are coming from Google itself (Google Messages says the sender is “verified”). I’ve chosen category ‘Scams’ because it could be one in the making, but that isn’t a certainty.
Have other CHOICE Community members seen this? And has anyone any idea what’s causing it?
I do have Google accounts, and two of them have this phone number as a 2FA option and as a recovery phone.
I’m aware of scams that involve sending unsolicited SMS security codes to recovery phone numbers, but this doesn’t seem consistent with any of the known ones. All I’m seeing is the codes. The texts just contain a code, no links. There are no follow-up texts or emails claiming to be from Google or a bank or the like and asking me to forward the code to some scammer. Nothing seems amiss on any of my Google accounts (but I changed the passwords, just in case).
If someone had been repeatedly trying to break into those accounts, Google would have notified me about suspicious activity, but there’s been nothing from Google about it.
Apparently, plenty of others are being similarly spammed, and some of them don’t even have their mobile number as a Google account 2FA option or recovery phone. See the Whirlpool forums thread Getting spammed with google verification codes that started on 6 September and has continued to now (latest post was last night).
It’s beginning to seem more like a bug of some kind rather than a scam, but I haven’t been able to find any other information about it.
I have a Google account, used for Gmail and Youtube, on various devices from phone to tablet to TVs.
But not hit by this SMS phenomenom. But then I have not set up for SMS delivered MFA with Google.
And then again, I don’t make my mobile phone number public domain knowledge to every Tom, Dick and Harry out there. Email yes, but that is easily dealt with for pests.
I hadn’t been hit by this phenomenon until just after midnight last Friday, either. Your turn might come!
… but seriously, do note that some people responding to the Whirlpool thread are affected and did NOT have their number associated with Google 2FA or account recovery.
I’m not particularly promiscuous with my phone number either, but there are times when you do have to give it to someone / some company … especially if, like MyGov, it’s the only form of 2FA they offer.
I received about another 30 codes in the past 24 hours, so the count is over 60 now. About the same number during the day as overnight.
Are the requests verified as from Google? If you’re using Google Messages, a verified sender will be identified like this, with its logo and a blue tick at the top of the 'conversation:
Yours certainly does sound like a scam of some kind, especially if there’s a link that it’s inviting you to go to.
Its not an SMS its actual charges to my bank statement and matching reversal
personally i think it is a not a scam so much as hack attempt.
I envisage if i was to do such a fraud
Enter card
Google attaches a digit code ie # 97 into the payment reference for the card owner
The fraud tries 88,
and tries each day repeatedly indefinitely
until they are luck BINGO get success on the right code as google attached digit code ie # 88
It could be a ‘pilot’ direct debit attempt on your account. Something very small that could go unnoticed, but if sucessful could mean a much bigger direct debit follows.
Have you bought something on the Google playstore that wants $2 to use, and the authorization is not being granted via an SMS delivered confirmation?
Re the Google forum you linked, I don’t think there’d necessarily have had to be phone number leaks associated with this. As with spam/scan calls to landlines, brute force dialling easily finds active numbers, and the scammers just compile lists of active mobile numbers and feed them into whatever process they’re using to try to steal the number or scam the owner.
As for how they’re generating the codes: Google Voice isn’t available in Australia, but you can link another phone number to a Voice account (as a contact or to have calls redirected to that number, for example). That generates a code to check the number before linking it.
So if it’s possible to link an existing non-US/Canada phone number to a Voice account, that could be how they’re doing this with Australian mobile numbers.
I use Google 2FA. It doesn’t send me SMS messages though, it requests that I open the GMail app and type in the code which appears (automatically) in that app.
If these messages are SMS then I suspect a scam. Remember that the sender in an SMS can be forged trivially.
Google introduced a ‘verified sender’ function to its Android Messages app several years ago, and has now extended the idea to the Gmail app, as you’ve confirmed.
All of the Google codes I’ve received so far in this incident have been verified by my Google Messages app as coming from Google itself.
If the messages are legitimately coming from Google, it seems likely that someone has obtained your password, and keeps trying it hoping you’ll acknowledge the request. I recommend you change your Google password.
If the messages are not legitimate verification from google for an illegitimate login, then there’s no harm in changing your password (except having to learn a new one or record it offline somewhere others won’t find it)
There is another possibility. Some people have gotten confused over what their email address is. They attempt to use yours. Then they get confused when their 2FA does not work and they try again. A few people have tried to use my Gmail account. I know the other people are not scammers.
When I first started getting these codes - last Friday - I conducted a thorough investigation of my Google accounts, including changing the passwords.
I couldn’t find any evidence of unusual activity, so I tested Google’s “suspicious activity” alert system by deliberately doing what a scammer with my password but nothing more might do.
I got an immediate alert from Google about it.
There haven’t been any other alerts from Google about any of the accounts.
So I’m concluding that no-one’s been trying to break into those accounts. If they had been, the sheer number of attempts would’ve raised alarm bells for sure.
The codes have kept coming unabated - and I’m not alone. A large number of Australians have been being spammed with these Google codes as of early this month.
At least some of the numbers being spammed are not associated with any Google account.
I’ve already described one way that scammers could have triggered genuine Google codes to numbers of their choosing, and it doesn’t require their knowing anything at all about the owner of that number or their Google accounts.
I’m alert but not alarmed - until there’s further evidence that the scammers are actually doing something with these codes.
Yes, that can certainly trigger unexpected codes. With this particular ongoing incident, though, the sheer number of people affected and the volume of codes being sent to each number makes such an innocent scenario unlikely.
Could be someone is logging in as you with your password and the confirmation email is coming to you instead of them, which is why two-factor authorisation is effective.
Yes, that is one of several typical reasons for unsolicited SMS codes. The hacker has to have your password, though. If it’s a Google account and they keep entering the password but failing to provide the 2FA code, there’ll be a Google alert about suspicious behaviour.
This particular incident is something different, though. Read these previous posts explaining why.
It is probably scammers trying out methods of generating real 2FA codes, but it might even be a Google bug.
I’m cautiously hopeful that the code-bombardment is over. I haven’t had one for over a week!
Please post here if you start seeing any unsolicited Google codes.
There still hasn’t been an update from Google about this, although they were ‘investigating’. The Google Support link posted earlier hasn’t been updated since 23 September.
On the security front, Google is taking some steps towards getting rid of passwords entirely, introducing “passkeys” recently, and now making them the default:
Note: with that said, there has been no indication that this Google code spamming incident was associated with password theft or credential stuffing, ie actual break-in attempts on Google accounts. There’ve been no other signs of unauthorised attempts to log in to Google accounts, and in any case many of the people affected didn’t even have their phone linked to any Google account.
