Adam Mosseri, the head of Instagram, revealed that he nearly fell for a highly convincing phishing attack that appeared to come from Google. The scam, which combined a phone call and a cleverly disguised email, highlights just how advanced phishing methods are becoming, even fooling seasoned tech leaders.
Mosseri shared his experience in a post on Threads, the social media platform owned by Meta.
“Experienced a sophisticated phishing attack yesterday,” he wrote. “Someone with perfect English called from 818-538-7922. They said my Google account was compromised and they sent me an email to confirm my identity.”
The caller, posing as a Google representative, urged him to change his Gmail password — right there during the call — and warned him not to say it out loud.
Fake email, real domains
What made the scam particularly dangerous, Mosseri explained, was that the email appeared to come from a legitimate Google address: [email protected]. The link included in the message led to a page hosted on Google’s domain: https://sites.google.com/view/pendingtickets.
“The email and the form both coming from secure Google domains (via Google products) might have got me if I hadn’t heard from a friend who experienced a similar attack a year ago,” Mosseri added.
Google responds: ‘We will never call you’
After Mosseri flagged the issue, Google Workspace responded on Threads, confirming they had shut down the fraudulent form and website.
“Thank you for flagging—we suspended that form and site yesterday, and we constantly roll out defenses against these types of attacks. As a reminder: Google will never call you about your account.”
Speaking to ABC News, a Google spokesperson emphasized that user safety is a top priority.
“We have deployed numerous protections to keep users safe from this specific attacker and similar phishing methods,” the spokesperson said. “We strongly encourage users to adopt two-factor authentication and passkeys, which provide strong protection against phishing campaigns.”
What experts say you should do
Experts advise users to be cautious of any urgent requests over the phone or via email that ask for login credentials or passwords. Real companies, including Google, will not ask you to click a link or change your password over the phone.
Here are quick tips to protect yourself:
- Look out for urgency: Scammers often try to create panic to make you act fast.
- Check the domain name: A site may say “Google,” but could be a cleverly disguised fake.
- Hover over links before clicking: This can show the actual web address you’re being sent to.
- Don’t click on links in unexpected texts or emails, especially if they request personal information.
Social media reacts
The incident sparked a range of reactions online, some concerned, others sarcastic. On Threads, users were surprised that the head of Instagram doesn’t seem to have a direct line to Google.
“Not the Head of Instagram believing Google calls you on the phone about resetting your password?” one user quipped. A user with similar experience said, “This is almost identical to the attack I got hit with last summer… my money says same people …”
Another joked, “Adam, I can help you out here. Just need your mom’s maiden name and the street you grew up on.”
Despite the jokes, Mosseri’s experience is a reminder that anyone, even tech leaders, can be a target.
