A managed service provider posted on Reddit last week about a call they received from what appeared to be an official Google phone number. The caller claimed a "legacy request" had been submitted for the Gmail account tied to their phone. The whole thing sounded legitimate — official-sounding language, a real Google number on the caller ID, and just enough urgency to make you act before thinking.
It was a scam, and it is hitting businesses across the country right now.
This type of attack is called vishing — voice phishing — and it has exploded over the past year. Vishing attacks increased by over 440% between 2024 and 2025. The FBI's Internet Crime Report lists phishing and spoofing as the number one cybercrime by complaint volume, with over 190,000 reports and $215 million in losses in 2025 alone.
When your phone shows "Google" on the caller ID, most people trust it. That trust is the entire mechanism of the attack.
How the Google phone spoofing scam works
The attack follows a predictable pattern, but it is polished enough to fool experienced IT professionals — not just the person at the front desk who does not deal with technology every day.
Step 1: The call comes in. Your phone displays a real Google phone number, often +1-650-253-0000 (Google's actual Mountain View headquarters). The caller introduces themselves as someone from Google's account security team.
Step 2: They create urgency. The caller tells you that suspicious activity has been detected on your Google account, or that someone has submitted a "legacy request" or "account recovery request" that you did not authorize. The language is designed to make you feel like your account is under attack right now.
Step 3: They ask you to verify. To "protect" your account, they ask you to confirm a code sent to your phone, share your password, approve an MFA prompt, or click a link they text you. Some versions ask you to install a "security tool" — which is actually remote access software.
Step 4: They take over. Once they have your credentials or MFA approval, they are in. They can lock you out of your Google Workspace, access every email, document, and contact in that account, and use it as a launchpad for attacking your employees, clients, or vendors.
The whole thing takes about five minutes. Calm, professional, and familiar enough with Google's actual processes to sound credible.
Why the caller ID shows a real Google number
Caller ID spoofing is not new, but it has gotten cheaper and more accessible. Attackers use VoIP (Voice over IP) services that let them set any number they want as the outgoing caller ID. The technology that is supposed to prevent this — called STIR/SHAKEN — is only partially enforced, and many carriers still do not flag spoofed calls reliably.
The result is that your phone displays "Google" with a legitimate number, and there is no visual indication that the call is fake. Even if you Google the number while on the call, it checks out.
Some attackers go further. They will send a legitimate-looking email from a compromised or lookalike domain before calling, so when they reference "the email we sent you earlier," it feels like a coordinated, real process. A few operations have been caught using platforms like Salesforce CRM to send emails that pass SPF, DKIM, and DMARC checks — the standard email authentication protocols that are supposed to filter out fakes.
Why small businesses are the primary target
Large enterprises usually have dedicated security operations centers, established verification procedures, and security awareness programs that train employees to handle these calls. Small businesses typically do not.
Companies with 10 to 100 employees get hit hardest. We have seen this firsthand with businesses across New Hampshire and Massachusetts — the same gaps show up again and again.
Shared admin accounts. Many small businesses have one or two Google Workspace admin accounts that multiple people use. If an attacker compromises that shared credential, they own everything — email, Drive, calendar, and the ability to reset any other user's password.
No call verification protocol. When someone calls claiming to be from Google, most employees do not have a documented process for how to handle it. They either try to deal with it themselves or forward it to whoever seems most technical.
Thin IT coverage. If your IT is one person or an outsourced provider you reach by email, there is nobody to quickly verify whether a call is real. The attacker knows this and exploits the gap between "something seems wrong" and "I can get someone to check."
Google Workspace is the keys to the kingdom. For many small businesses, Google Workspace is not just email. It is file storage, shared drives, calendar scheduling, client communications, and sometimes even the login system for other tools via Google SSO. Losing control of it means losing control of operations.
High trust in Google. Business owners and employees trust Google as a brand. A call "from Google" does not trigger the same suspicion as a call from an unknown number or a random company.
The AI factor making vishing worse
What is different about vishing in 2026 compared to a few years ago is the quality of the calls. AI-generated voice technology has made it possible for attackers to sound exactly like a professional support representative — calm, articulate, and reading from a script that anticipates your questions.
Reports from security firms show that AI-powered deepfake voice attacks increased by over 1,600% between late 2024 and early 2025. The calls are no longer the obvious, heavily-accented scam calls that most people recognize. They sound like the real thing because the voice itself may be cloned from actual customer support recordings that are publicly available.
Some vishing operations now use AI to:
- Generate natural-sounding conversations that adapt to what the victim says
- Clone the voice of a real person the victim knows (like their IT provider or a colleague)
- Operate at scale, making thousands of calls per day with consistent quality
- Follow up with legitimate-looking emails or text messages to reinforce the story
A spoofed caller ID plus an AI-generated voice means you cannot tell these apart from a real call by listening. "It sounded legit" is no longer a defense.
What Google actually does (and does not do)
Knowing how Google actually operates makes these calls easy to spot.
Google does not call you proactively about account security. If there is a security issue with your Google account, Google sends an email to your recovery email address or shows an alert when you log in. They do not pick up the phone and call you.
Google does not ask for your password over the phone. No legitimate Google support representative will ever ask for your password, ask you to read back a verification code, or ask you to approve an MFA prompt during an unsolicited call.
Google support calls only happen when you initiate them. If you are a Google Workspace customer and you open a support case, Google may call you back at a number you provide. But that call comes after you requested it, from a case number you already have.
There is no "legacy request" process that works via phone. The "legacy request" language in the current scam is fabricated. Google's actual Inactive Account Manager (their real legacy feature) works entirely through email and account settings — no phone calls involved.
If someone calls you claiming to be from Google and asks you to do anything with your account, hang up. That is not a suggestion — it is the correct response every single time.
What your business should do right now
You do not need expensive tools to defend against vishing. You need a clear process and employees who know what to do.
1. Establish a "never verify by inbound call" rule
Make it a company-wide policy: no one confirms credentials, approves MFA prompts, or shares account information during a call they did not initiate. If someone claims to be from Google, Microsoft, your bank, or any vendor, the response is always the same — hang up and call back using the number from the vendor's official website.
Write this down. Put it in your employee handbook. Bring it up in your next team meeting. The simpler the rule, the more likely people follow it.
2. Eliminate shared admin accounts
Every person who needs admin access to Google Workspace should have their own individual admin account with their own MFA. Shared credentials mean that if one person falls for a vishing call, the attacker gets the keys to everything. Individual accounts also give you an audit trail — you can see exactly who did what and when.
3. Enforce hardware-based MFA
Standard SMS-based two-factor authentication is not enough. The current Google spoofing scam specifically targets SMS codes — the attacker asks you to read the code back to them. Hardware security keys (like YubiKeys) or passkeys stored on your device are significantly harder to phish because they require physical possession of the device and verify the actual website domain, not just a code.
Google Workspace supports security keys natively. For admin accounts especially, this should be mandatory.
4. Run a vishing simulation
Most businesses have done email phishing simulations. Few have done phone-based ones. Work with your IT provider to run a vishing exercise where someone calls your staff with a realistic pretext and sees how they respond. The results are usually eye-opening — and they make the training real in a way that reading a policy document does not.
5. Monitor Google Workspace admin logs
Google Workspace provides an admin audit log that shows every significant action — password resets, MFA changes, new device logins, permission changes. Set up alerts for high-risk actions like admin password changes, new admin accounts being created, or MFA being disabled. If an attacker does get in, early detection limits the damage.
What to do if someone on your team already fell for it
If you suspect a vishing attack has succeeded, move fast:
- Change the compromised account password immediately from a different device that you trust
- Revoke all active sessions in Google Workspace admin — this forces the attacker out even if they are currently logged in
- Check the admin audit log for any changes made during the window of compromise — look for new forwarding rules, app passwords, recovery email changes, or permission escalations
- Reset MFA and re-enroll with a hardware key or passkey, not SMS
- Notify your team that the account was compromised and to ignore any unusual emails or requests that came from it
- Contact your IT provider for a full incident assessment — the attacker may have accessed shared drives, client data, or other connected services
- Report the scam to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov and to Google directly
The first 30 minutes after discovery matter the most. Having a written incident response plan means your team knows these steps before they need them — not during the panic of figuring it out in real time.
These calls are getting better, not going away
Vishing works because it exploits trust and urgency — two things that technology alone cannot fully solve. The technical barriers to spoofing a phone number are low, AI is making the calls more convincing every month, and most businesses have no formal process for handling suspicious calls.
The defense is straightforward. A "hang up and call back" rule, individual admin accounts, hardware MFA, and basic awareness training blocks the vast majority of these attacks. None of that costs much. All of it requires someone to actually set it up.
The businesses that handle these scams well are the ones that prepared before the phone rang.
Written by The RNITS Company. For more information, visit www.rnits.com.
Top comments (0)