Scammed out of $130K via fake Google call, spoofed Google email and auth sync

Original Article ↗ Hacker News Discussion ↗

Scam mechanics and social engineering

  • Attack mirrors others reported in thread: phone call from “Google/coin” security or legal, plus convincing follow‑up email, plus real Google account‑recovery or 2FA codes used as bait.
  • Core trick: attacker initiates a legit recovery/login flow, then urgently asks victim to “read back a code” to verify identity or prove they’re alive.
  • Once they obtain a Google recovery code and/or SMS code, they take over the Google account, then pivot to Coinbase via Google SSO and synced 2FA.

Email spoofing and Google’s role

  • Multiple commenters are confused or skeptical how an email appearing as [email protected] made it through to Gmail.
  • Some speculate simple “display name” or homograph tricks; others think attackers may have abused Google services (Forms/Cloud/Sites/Salesforce‑like flows) to send from real Google servers.
  • There’s disagreement on whether DMARC/SPF/DKIM should have made such spoofing impossible; some insist Gmail would never let arbitrary users send as @google.com, others cite DKIM replay and misconfigured policies.
  • Lack of accessible headers in iOS Gmail is widely criticized as a security anti‑pattern.

2FA, Authenticator cloud sync, and SSO

  • Big concern: Google Authenticator’s cloud sync means “something you have” effectively becomes “something stored in your Google account.”
  • If attackers own Gmail + Authenticator sync + Chrome Password Manager or Google SSO, they can often bypass 2FA elsewhere.
  • Several argue TOTP codes tied to the same Google account email should not be treated as a true second factor; others counter you can’t tell which app generated a code.
  • Many recommend hardware tokens (YubiKeys), passkeys, multi‑device TOTP setups, or non‑cloud TOTP apps; some highlight Coinbase vault and time‑delayed withdrawals as underused protections.

Crypto vs. traditional finance and blame

  • Crypto’s irreversibility and lack of consumer protections is contrasted with banks’ legal obligation (in some jurisdictions) to reimburse many forms of fraud.
  • Debate over responsibility: some say the victim clearly erred (answering unknown calls, reading codes, keeping six figures on an exchange); others stress anyone can be phished under enough stress and that Google and Coinbase should add more friction and safeguards.
  • Broader critique that big institutions themselves train users into bad habits by asking for SMS codes over the phone or sending phishy‑looking “secure” links.

Defensive habits emphasized

  • Never trust inbound calls or emails; independently call a known official number or use in‑app channels.
  • Let unknown numbers go to voicemail; use call‑screening features; treat urgency as a red flag.
  • Don’t sync 2FA secrets into the same account that controls your email and SSO, and avoid using a single provider as both password store and second factor.