Deepfake Voice Google Workspace Support Scam
Criminals use AI-synthesised voices to impersonate Google Workspace support advisors on unexpected calls, pressuring IT administrators into resetting admin credentials, approving OAuth applications, or downloading 'diagnostic tools'.
Part of: Deepfake Voice Scams
Last reviewed: 8 June 2026
Google Workspace administrators have elevated privileges over an entire organisation's Google accounts, Drive files, Gmail, and Meet infrastructure. This makes them a premium target for social engineering attacks designed to extract admin credentials or trick them into approving malicious access.
AI voice synthesis has made it possible for scammers to impersonate the cadence and professional tone of a Google support representative convincingly. An unsolicited call claiming to be from Google's enterprise support team, warning of a critical security incident detected in the administrator's Workspace tenant, carries significant credibility when delivered in a polished AI voice.
The goal is to either get the admin to click a link to a fake Google Admin console page during the call, or to 'confirm' their admin credentials verbally to 'verify their identity' before the issue can be resolved.
How this scam works on the Google brand
Google's real Workspace support contacts customers through the Google Admin console's Support tab and through scheduled callback systems. Google does not place unsolicited outbound calls to admin accounts warning of security incidents.
The scam call begins with an automated message referencing the admin's real Workspace domain — a piece of information available from the domain's MX records or a public company listing. The AI voice then connects to a 'senior engineer' who describes a fabricated incident: a data export by a rogue user, a suspicious OAuth application approval, or an admin account sign-in from an unusual region.
During the call, the victim is asked to visit a support link sent via a follow-up email and log in to 'pull the logs'. The link goes to a fake Google Admin console page. Alternatively, the 'engineer' asks the admin to 'confirm' their admin email and then a recovery code from their authenticator app.
Common red flags
- An unexpected call claims to be Google Workspace or Google Enterprise Support with a security alert.
- The caller references your Workspace domain name — this information is public and does not prove the caller is Google.
- You are asked to visit a support link sent by email during the call — Google does not conduct real-time remote sessions via email links this way.
- The 'engineer' asks for your admin password or an authenticator code to 'verify your identity'.
- The caller ID shows a Google support number — caller ID is easily spoofed.
- The call creates urgency: 'There is an active data exfiltration happening right now — we need your authorisation in the next five minutes.'
How to protect yourself
- Never give admin credentials or authentication codes to anyone who calls you unsolicited — Google does not request these by phone.
- Verify any claimed incident by logging directly into admin.google.com yourself and checking the Security > Alert center.
- Enable phishing-resistant authentication for your Google Workspace admin accounts using hardware security keys.
- Use Google's Context-Aware Access policies to restrict admin console access to trusted devices and networks.
- Brief your IT team that Google support callbacks must be initiated by you through the Admin console's Support tab, not the other way around.
- Review the OAuth apps approved in your Workspace tenant at admin.google.com > Security > API controls.
How to report it
- Report suspicious calls and phishing emails to Google at [email protected].
- Report Google Workspace security incidents through the Admin console's Support and security alert tools.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If admin credentials were compromised, contact Google Workspace support immediately through admin.google.com.
Frequently asked questions
How does Google actually contact Workspace administrators about security incidents?
Google sends security alerts via email to the admin contact address and through the Alert center in the Admin console at admin.google.com. Scheduled callbacks can be arranged through the Admin console's Support tab — Google does not place unsolicited cold calls.
Can an attacker access all user accounts in a Workspace if they get the admin credentials?
Yes. A super admin account has the ability to reset user passwords, access Drive files, and configure security settings across the entire organisation. This is why admin accounts warrant the highest level of protection.
What should I do if I gave my admin credentials to the caller?
Immediately go to admin.google.com and change the admin account password, revoke all active sessions, review recently approved OAuth apps, and contact Google Workspace enterprise support through the Admin console's Support tab.