Google says it's now hardening defenses against a sophisticated account takeover scam documented by a programmer last week.

Zach Latta, founder of Hack Club, told of how close he was to succumbing to voice phishers who attempted to take over his Google account.

He said: "Someone just tried the most sophisticated phishing attack I've ever seen. I almost fell for it. My mind is a little blown."

The scammers called Latta, who's based in Vermont, USA, claiming the Google Workspace team spotted an unusual login attempt from Frankfurt and that he needed to reset his account password.

The call came from 650-203-0000 (a genuine number associated with automated Google Assistant calls) and a "Google" caller ID. The scammer used the name Chloe and spoke with an American accent over a crystal clear-sounding line. Aside from Google making the call initially, all seemed well at first.

Latta remained suspicious though and asked for a genuine email sent from a Google domain to confirm the authenticity of the call. That email came from an unspoofed workspace-noreply@google.com address and even after asking if he could call the number back, Chloe seemed unfazed and said "sure," although that was enough to prevent Latta from actually doing so.

The scam started unraveling after Chloe's manager, "Solomon," another American accented individual, took over the call and gave information that conflicted with that given by his colleague. One saving grace was that he was able to provide the genuine 2FA number-matching code that appeared on Latta's device.

To a non-techie, that would likely be enough to convince a victim that it was a genuine Google staffer on the line, but Solomon's encouragement to press the right number was the final red flag before fully determining this was a scam.

"The thing that's crazy is that if I followed the two 'best practices' of verifying the phone number and getting them to send an email to you from a legit domain, I would have been compromised," Latta wrote.

"I understand how they were able to spoof the 'Google' phone call through Google Assistant, but I have no idea how they got access to important.g.co [since] g.co is a legitimate Google URL.

"[I was] literally one button press from being completely pwned. And I'm pretty technical!"

The use of g.co is crucial here. The scammer creates a Google Workspace using a g.co subdomain. G.co is a genuine Google subdomain and anyone can create a new Workspace using a g.co subdomain without having to verify that they own it.

The scammers then create an account for the victim using the Workspace and send a password reset email which comes from Google itself as is normal for a Workspace account.

A Google spokesperson told The Register: "We've suspended the account behind this scam, which abused an unverified Workspace account to send these misleading emails.

"We have not seen evidence that this is a wide-scale tactic, but we are hardening our defenses against abusers leveraging g.co references at sign-up to further protect users."

As a reminder, Google will not call users to reset their passwords or troubleshoot account issues, so feel free to treat any incoming calls as the garbage they are.