By Bill Hartzer, February 7, 2020 at 9:22am CST.
Scammers are using Craigslist ads to try to gain access to your Google Account. When the victim places an ad on Craigslist, they respond, asking to call them. Once they have the phone number of the victim, they ask the victim for the Google code that they have Google send them, and they’re then able to access the Google account.
The user HandwovenBox posted about this scam on Reddit.
Here is how the Craigslist Google account scam typically works:
- The victim posts an ad on Craigslist for an item, where the phone number is revealed in the ad.
- The victim gets a text message from the scammer, asking if they can call the victim.
- The text message comes from a phone number if the victim’s area code, so they trust it. In reality, the scammer really just faked the area code.
- The scammer tells the victim that there are scammers out there, so they need to verify the victim by sending a G-code to their phone. The scammer tells them to give them the G-code and they will then call them.
- The text with the code comes from Google.
- The scammers are hoping the victim won’t realize that if they give the scammer the code that it will give them access to their Google account.
There are people out there that unfortunately fall for this scam to get access to the victim’s Google account.
The scammer has no intention of buying what the victim is selling on Craigslist, they only want to get access to the victim’s Google Account.
Google account access is, in fact, highly valuable to scammers because there oftentimes can be so many things attached to a Google Account. For example, Google Pay is attached to a Google Account, as well as email, Google Voice, Google Drive, Google My Business, as well as Google Ads.
Review Your Google Account
There are several things you can do to secure your Google Account. Obviously you need to protect your password, and change it on a regular basis. I would regularly visit Google’s account security page to review the devices and apps that have access to your Google Account. You do need to turn on two-factor authentication, which essentially means that when you access your Google Account from an unknown device (or a new device) then Google will send you a code (the code that the scammer above wanted to receive from the victim). That’s not enough, though, to fully protect your account. I recommend that you also set up Google Advanced Protection.
Google Advanced Protection
Google Advanced Protection is an extra layer of protection to help secure your Google Account. Google sends you two physical “keys” that must be used in order to access the account. When you log in through a new or untrusted device, you’ll be asked to use one of the keys to verify that it’s you trying to access the account. There is a bluetooth key and a USB/MFC type of key that you’ll get. I wrote about my experience setting up Google Advanced Protection, and wrote about the other benefits of using it.