About a day ago I started getting SMS security codes from Google that I hadn’t asked for. So far I’ve had about 30. They are coming from Google itself (Google Messages says the sender is “verified”). I’ve chosen category ‘Scams’ because it could be one in the making, but that isn’t a certainty.
Have other CHOICE Community members seen this? And has anyone any idea what’s causing it?
I do have Google accounts, and two of them have this phone number as a 2FA option and as a recovery phone.
I’m aware of scams that involve sending unsolicited SMS security codes to recovery phone numbers, but this doesn’t seem consistent with any of the known ones. All I’m seeing is the codes. The texts just contain a code, no links. There are no follow-up texts or emails claiming to be from Google or a bank or the like and asking me to forward the code to some scammer. Nothing seems amiss on any of my Google accounts (but I changed the passwords, just in case).
If someone had been repeatedly trying to break into those accounts, Google would have notified me about suspicious activity, but there’s been nothing from Google about it.
Apparently, plenty of others are being similarly spammed, and some of them don’t even have their mobile number as a Google account 2FA option or recovery phone. See the Whirlpool forums thread Getting spammed with google verification codes that started on 6 September and has continued to now (latest post was last night).
It’s beginning to seem more like a bug of some kind rather than a scam, but I haven’t been able to find any other information about it.
I hadn’t been hit by this phenomenon until just after midnight last Friday, either. Your turn might come!
… but seriously, do note that some people responding to the Whirlpool thread are affected and did NOT have their number associated with Google 2FA or account recovery.
I’m not particularly promiscuous with my phone number either, but there are times when you do have to give it to someone / some company … especially if, like MyGov, it’s the only form of 2FA they offer.
I received about another 30 codes in the past 24 hours, so the count is over 60 now. About the same number during the day as overnight.
Re the Google forum you linked, I don’t think there’d necessarily have had to be phone number leaks associated with this. As with spam/scan calls to landlines, brute force dialling easily finds active numbers, and the scammers just compile lists of active mobile numbers and feed them into whatever process they’re using to try to steal the number or scam the owner.
As for how they’re generating the codes: Google Voice isn’t available in Australia, but you can link another phone number to a Voice account (as a contact or to have calls redirected to that number, for example). That generates a code to check the number before linking it.
So if it’s possible to link an existing non-US/Canada phone number to a Voice account, that could be how they’re doing this with Australian mobile numbers.
If the messages are legitimately coming from Google, it seems likely that someone has obtained your password, and keeps trying it hoping you’ll acknowledge the request. I recommend you change your Google password.
If the messages are not legitimate verification from google for an illegitimate login, then there’s no harm in changing your password (except having to learn a new one or record it offline somewhere others won’t find it)
There is another possibility. Some people have gotten confused over what their email address is. They attempt to use yours. Then they get confused when their 2FA does not work and they try again. A few people have tried to use my Gmail account. I know the other people are not scammers.
When I first started getting these codes - last Friday - I conducted a thorough investigation of my Google accounts, including changing the passwords.
I couldn’t find any evidence of unusual activity, so I tested Google’s “suspicious activity” alert system by deliberately doing what a scammer with my password but nothing more might do.
I got an immediate alert from Google about it.
There haven’t been any other alerts from Google about any of the accounts.
So I’m concluding that no-one’s been trying to break into those accounts. If they had been, the sheer number of attempts would’ve raised alarm bells for sure.
The codes have kept coming unabated - and I’m not alone. A large number of Australians have been being spammed with these Google codes as of early this month.
At least some of the numbers being spammed are not associated with any Google account.
I’ve already described one way that scammers could have triggered genuine Google codes to numbers of their choosing, and it doesn’t require their knowing anything at all about the owner of that number or their Google accounts.
I’m alert but not alarmed - until there’s further evidence that the scammers are actually doing something with these codes.
Yes, that can certainly trigger unexpected codes. With this particular ongoing incident, though, the sheer number of people affected and the volume of codes being sent to each number makes such an innocent scenario unlikely.
Yes, that is one of several typical reasons for unsolicited SMS codes. The hacker has to have your password, though. If it’s a Google account and they keep entering the password but failing to provide the 2FA code, there’ll be a Google alert about suspicious behaviour.
This particular incident is something different, though. Read these previous posts explaining why.
It is probably scammers trying out methods of generating real 2FA codes, but it might even be a Google bug.
I’m cautiously hopeful that the code-bombardment is over. I haven’t had one for over a week!
Please post here if you start seeing any unsolicited Google codes.
There still hasn’t been an update from Google about this, although they were ‘investigating’. The Google Support link posted earlier hasn’t been updated since 23 September.
On the security front, Google is taking some steps towards getting rid of passwords entirely, introducing “passkeys” recently, and now making them the default:
Note: with that said, there has been no indication that this Google code spamming incident was associated with password theft or credential stuffing, ie actual break-in attempts on Google accounts. There’ve been no other signs of unauthorised attempts to log in to Google accounts, and in any case many of the people affected didn’t even have their phone linked to any Google account.