What is a Google Voice scam?

How the scam works

An overview of how the Google Voice verification scam works in practice (Source: LifeLock)

Numerous reports indicate that the scam tends to start with online transactions. More specifically, when someone is selling items on Facebook Marketplace or answering an online ad about a lost pet.

1. Scammer contact. The seller is approached by a fake buyer who claims they need to verify or confirm the seller’s details before proceeding with the transaction. Less commonly, the roles are reversed and the scammer poses as a seller claiming they’re afraid of being scammed.
2. Verification and deception. The scammer then sends the victim a text message and instructs them to share the verification code. At this point, the scammer has already used the victim’s phone number to start an application for a Google Voice account.
3. Hijacked identity. After the victim hands over the verification code, the scammer completes the setup process and gains control of an account linked to the victim’s phone number.
4. Fraud and other criminal activity. Some scammers will solicit more personal information to impersonate the victim and open other accounts in their name. Others simply sell the numbers to those who do not qualify for one themselves.

Because these steps seem harmless at first—especially if the victim is keen to sell an item or find a lost pet—many victims hand over the verification code before realising it doesn’t serve any actual purpose.

How could these scams be used to target businesses?

Scammers may contact employees and claim they need to verify their identity for a reason that sounds believable at first—perhaps to confirm a job interview, vendor application or transaction.

They then ask to send a Google Voice verification code and convince the employee to read it back. This allows the scammer to hijack the business number for any number of fraudulent schemes such as payment redirection scams, executive impersonation (CEO fraud) and phishing.

In accounts payable contexts, the tactic could be employed to support invoice scams. Some may even follow up with phone calls or texts from what appears to be a company phone number.

To pull off this imitation, hackers use spoofing software that enables calls placed from the Google Voice account to display the victim’s (or a trusted superior’s) real phone number.

The added credibility makes it easier to deceive staff into processing unauthorised payments.

Potential consequences for organisations

When finance or AP staff fall for a Google Voice scam, the broader implications for the business can be severe.

Hijacked numbers may be used to:

• Bypass standard verification controls and leverage the trusted caller ID as a social engineering tactic.
• Redirect return calls or invoice queries to the attacker, increasing the chance that sensitive information or approvals are intercepted.
• Gather internal process intel about the company’s payment cycles or key contacts.
• Damage the company’s reputation through external misrepresentation.

Protective measures

The most effective defence from Google Voice scams is strong security awareness. If anyone is asked to provide a verification code—regardless of the context—it should be treated as a red flag for fraud.

The simple (but often overlooked) instruction that accompanies a standard 6-digit verification code (Source: Aura)

Finance and accounts teams should also keep the following precautions in mind:

1. Verify identities through trusted channels. Be wary of unsolicited contact, especially if verification codes are involved. If someone requests verification under the guise of confirming identity, it’s safest to disengage and validate the request through official channels.
2. Monitor for unusual account behaviour. Stay alert to suspicious activity including unexpected login attempts or strange calls and texts. These can indicate a possible account takeover or that the number is being used to socially engineer fraud.

If a breach is suspected, immediately update all credentials linked to the compromised account and enable multi-factor authentication (MFA) where possible.

Recovering from a Google Voice verification scam

Recovery involves following Google’s support instructions to recover the hijacked account. Victims must enter the number they want removed from a Google Voice account and verify ownership with an OTP.

To help contain the scam, it’s important to make friends, family and coworkers aware of it—particularly if criminals intend to contact known associates. It’s also crucial to respond to the breach as quickly as possible to contain any damage.

In summary

• Criminals exploit a Google Voice verification code to seize control of a victim’s Google Voice number. After which, they may impersonate the victim to carry out illicit schemes or sell the number online.
• The most effective way to combat these scams is to practice good safety hygiene. It is important to never share verification codes with another entity—no matter how convincing their story.
• Those who suspect they’ve had their identity stolen should review account access, apply extra security steps and consult the relevant platform’s technical support for help in reclaiming the compromised account.