> I asked if I could call back a phone number listed on Google.com and she said sure - this number is listed on google.com and you can call back with your case number, but there may be a wait on hold and I might get a different agent. I googled it and sure enough, it was listed on google.com pages. I didn't call back though.

Emphasis mine.

Also, if a human called me and claimed to be working for Google, I would laugh heartily and hang up the phone. Google doesn’t even have call in tech support, why would they call you for something as banal as a compromised account?

This is about Google Workspace, a higher tier paid account which does include phone support. Equivalent to if someone like your business ISP called you (or someone else who you are a paying customer of, with real phone lines). That being said, it is mentioned that OP doesn't pay for that or Google One.

I am a paying user of Google Workspace, and also run a charity that is a user of Google Workspace with thousands of accounts. The account they were trying to phish was a paid Google Workspace email.

Again, 5 million people fall for phishing. This attack was magnitudes more sophisticated than most. I still get the occasional Nigerian prince scam. They still send them because it still works. Not all of the people who fall for this are stupid. Surely you’ve made mistakes before.

Admitting one mistake doesn't moot the whole incident, nor does it take Google off the hook.

I agree. Easy to Monday morning quarterback opsec but we're human and the best fall for stuff all the time.

A non tech person wouldn't know Google has bad support and is unlikely to call you, that a number and email can be spoofed, etc. And even if 99% didn't fall for it, just 100 calls gets the scammer a victim on average.