Identity, Privacy, Data Security

Google Voice scams tied to majority of compromised identities

Google app icons are seen on a smartphone screen

The number of identity crimes reported to the nonprofit Identity Theft Resource Center last year was 14,817, which was slightly off from the all-time high it received in 2021.

The 2022 figure in its Trends in Identity Report is less than 1% down from the 14,917 reported to the ITRC in 2021, with 55% of the identity crime cases coming from compromised credentials, 40% of reported as cases of misused credentials and 1% of reported cases coming from victims who were notified of attempts that were ultimately unsuccessful.

Victims’ misused identities were mostly used for account takeovers at 61%, while new account creation made up 32% of victims. Social media accounts were still the top type of account takeover in 2022, but about 30% of existing account takeovers were financial accounts — primarily bank and credit card accounts — and 62% were new financial account creations.

A whopping 80% of compromised identity credentials were used in scams, up from 77% last year. Scams involving Google Voice again dominated the number of identity compromises, with nearly two-thirds of victims (61%) who contacted the ITRC being victims of the scam.

A Google Voice verification scam is a deceptive tactic used by criminals in the United States and overseas to exploit the process of enabling a Google Voice account, explained Scott Hermann, CEO of IDIQ, an identity theft protection and credit monitoring firm that conducted the report with the ITRC.  

Scammers will often obtain a victim’s phone number from an online sales listing or social media platform and initiate contact with the victim pretending to be an interested buyer. Saying they want to confirm that the victim is a legitimate seller, the scammer asks the victim to send them a Google verification code so they can create a Google Voice account associated with the victim’s phone number, which lets the scammer engage in fraudulent activity linked to the victim, Hermann continued.

Cybersecurity professionals with a Google Voice number, especially one used for work, can be targeted and could have profound implications if it’s associated with their company, Hermann said. It's crucial to educate employees on the importance of using strong passwords and enabling two-factor authentication to help prevent compromised credentials and misuse of company information and platforms, he continued.

While the annual report focuses on 2022 statistics, trends from the first quarter of 2023 show that the number of contacts to the center grew compared with the same period last year; assistance for multiple accounts being compromised increased, while single account compromises dropped 10%; and more victims contacted the center for personal information compromise rather than misuse by nearly 20%.

However, the news in the first quarter of 2023 isn’t all bad: the ITRC reported a surge in the number of people requesting preventative information.

With the public’s interest in new technologies such as artificial intelligence, it's increasingly important that consumers and businesses take due diligence to a whole new level before responding to unsolicited emails, texts, and DMs on social platforms and sharing information on websites, said ITRC COO James Lee. 

Lee said the ITRC does not have direct reports of AI’s role in email or phishing scams, but the media has reported on AI being used to clone voices and create realistic emails and websites for phishing.

“There's little doubt that generative AI will make detecting and preventing certain kinds of identity crimes more difficult. Technology is agnostic, but users are not,” Lee said. “Financially motivated criminals will use the power of AI to improve the quality of their phishing lures, malicious code, and any kind of attack that can be done at scale.”

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.