In order to facilitate the attack, they're using Google Cloud Monitoring to send the victim a convincing email from the google.com domain such that it passes Gmail's SPF email checks.
The attacker first phones the victim, claiming that they're checking about a primary phone number change or something. They then send the alert email above to "authenticate* themselves before they initiate a password change where they ask the user to complete the verification check on their device. They will tell the user what number to confirm. After the victim does that, it's game over.
Anyways, I hope no one I know falls victim to this attack.
