Have you ever received a text from an unknown phone number simply saying “hi”? Do you get so many spam and scam phone calls these days that you let every call from an unknown number go to voicemail just to see if they leave a legitimate message? This is particularly frustrating for those who are expecting important calls that may come from numbers that are not on their contact list, such as medical referrals. Maybe I’m alone, but I don’t think so. In 2023 it’s necessary for us all to be connected and it’s increasingly important to protect ourselves from scams. This week we’ll examine common scam techniques, how to spot them, what to do when you get suspicious contacts, and ways AI may be tied into all of this.
“The hacker didn’t succeed through sophistication. Rather he poked at obvious places, trying to enter through unlocked doors. Persistence, not wizardry, let him through.”
Clifford Stoll, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage
Common Scams
Everyone has encountered annoying spam in the form of junk mail, advertising emails, and unwanted telemarketing calls. Some of them are little more than an annoyance. Your email junk filter and a call filtering app might do a decent job of at least reducing the volume of unwanted calls and emails. However, with an estimated 3.4 billion phishing emails being sent daily around the world1, some are bound to get through and these are potentially more than a simple nuisance. Let’s start with phishing emails.
Phishing
A basic form of phishing email is designed to look like legitimate email, usually from a well-known company or government agency, to get the recipient to either click on a malicious link disguised in a picture or hyperlink or to download a malicious attachment. When a user clicks on a malicious link it may redirect them to a spoofed website that looks remarkably similar to the login page of the legitimate website with the goal of having the user enter their login credentials. If the ruse succeeds, the scammer then has access until the user realizes their error and changes their password. This could give the scammer access to a lot of non-public personal information and, if the unfortunate victim recycles the same password for multiple logins, the scammer may be able to find linked services to compromise additional accounts. Perhaps more insidious is the fake attachment. Clicking on an attachment in a phishing email may download an executable file that could potentially install malware on the victim’s computer. Typically installing an application on a device requires multiple inputs from a user including pop-ups from the operating system confirming that the user does want to install the program. If malware is installed on a device, then a hacker can gain a wide variety of harmful access from keylogging software, to logs of activity, to outright control of the device in some circumstances. It’s critically important to avoid installing unknown applications on a device. More about what you can do to stay safe later in the article.
Smishing
Emails are not the only way that fraudsters phish for victims. Text message scams are increasingly common and have earned their own monicker, “smishing”, a portmanteau of SMS and phishing. The aims are the same as with phishing emails: get the target to click on a link that will take them to a malicious website and hopefully trick them into revealing sensitive information such as passwords and/or financial information. This may start with a message from an unknown number saying “hi” or “hey, this is (name you don’t recognize) how have you been?”. As with most of these scams, the sender is looking for a response and will then use social engineering tactics to arrive at the end goal of gathering sensitive information or getting the victim to install malicious software. You may also see similar attempts via social media messaging systems such as a message from your friend’s or relative’s spoofed or hijacked account saying “I can’t believe this happened! [malicious link]”. These can, unfortunately, be more effective because they seem to be coming from a trusted source. If a message on social media seems out of character for your friend, contact them on a separate medium such as a text or phone call to verify the message. You might just save them and others from becoming victims. In short, if you don’t know the sender or something feels off, ignore the message.
Vishing
The last of the common scam types is the phone call. For some reason this also has its own monicker, “vishing”, a portmanteau of voice and phishing. One would think phone phishing or… phishing would suffice, but vishing it is. We have likely all received or at least heard about IRS and law enforcement scams where an unsolicited caller tells the called party that they are late on tax payments or have a warrant out and to stay on the line lest there be consequences. Again, social engineering is at play here with the caller trying to evoke emotions, commonly fear, to control the victim and dig up personal and financial information or gain access to their devices. Arguably the most terrifying of these is the voice cloning, or impersonation, scam.2 These are essentially the grandparent, aka family emergency, scams of yesteryear refreshed with voice cloning AI technology. The grandparent scam is typically a text or email impersonating a grandchild who has been arrested and needs bail or something similar. The voice cloning scam is a phone call where the scammer has cloned a loved one’s voice, typically from videos posted to social media or some other short clip of someone’s voice. The scammer can then make it sound like the victim’s loved one is in the room with them like this kidnapping scam. What better way to create a fear response? While receiving this call would inevitably be horrifying, it is important to keep a level head and try contacting the person another way either by text message or having a bystander call their phone. It may help to know that kidnapping by strangers is rare, with Reuters reporting approximately 0.1% of missing juveniles reports are attributed to abduction by a stranger.3 Scammers play on fear and knowing their tactics and how to respond may help avoid becoming a victim of fraud.
Red Flags
Knowing what the common scams are may be enough to identify them, but knowing red flags to watch for should make it even easier.4 In the case of emails, ask yourself some questions. Was I expecting this email? If not, be extra cautious. Do I recognize the sender? Look at the actual email address of the sender, not just the name that appears next to it. If the email is made to look like it came from Geek Squad, but the sender’s email address is hosted on gmail.com or any email server other than bestbuy.com, then it’s phishing. Is this email asking for personal, financial, or sensitive information? Legitimate businesses don’t do this. In fact, businesses regularly tell clients they will never do this. If you are doing business with a company, especially a financial institution, then they already have your information and have an interest in keeping it safe. Does it sound too good to be true or preposterously bad? I’m sorry to say this, but you probably did not just come into a massive windfall from a sweepstakes you didn’t know you entered. The IRS or law enforcement isn’t going to serve you via email. Does the email say I need to make a payment? You can log in to the known company website to double check that and make payments via secure and encrypted servers. Are there typos, grammatical errors, or odd formatting? Businesses and government agencies often have email templates that are highly curated to look a certain way. If it seems strange, it probably is.
When it comes to text messages, the red flags are similar and usually easier to spot. Did the message come from a number you don’t know? If so, you’ll see a phone number instead of a name on the text chain. It’s possible your friend’s phone number changed, but double check that another way before interacting. Is there a link in the message? Don’t follow links in text messages unless they come from a contact. Is the message sensational or requesting personal information? Again, a legitimate company will never request personal information or payment via text message.
Phone calls may be a bit easier to avoid by simply letting them go to voicemail. Scam calls often don’t leave a message or leave a bit of dead air in your inbox. If you do pick up the phone and there is a delay before you hear the caller speak, that likely indicates a scam call. Fraudsters use automated dialers to cast a wide net. If the call is answered the system will then connect a fraudster to the potential victim and this second long delay is a telltale sign. Is the caller being pushy? Legitimate businesses will not do this. Speaking from personal experience, clients have occasionally told me they weren’t expecting the call and that they prefer to hang up and call a known number, and I have never objected. I’m happy my clients are security conscious. A legitimate business will say that’s fine, call a number you know, you can ask for Joe in department X. A pushy caller is almost certainly a fraudster. Is the caller asking you to provide sensitive information? Again, businesses you work with, and government agencies, already have that information and will not ask you to provide it. Is there a bad connection? Sometimes bad connections just happen, other times they are used to mask a voice. Use caution.
What to do
First, do not interact with suspicious contacts. Don’t open the email or text and simply delete it and block the sender.5 You may even consider turning off “read receipts” which will tell the sender whether the message was read and let them know it’s an active phone number or email address worth targeting again in the future. If you realize it’s fishy after you’ve already opened the text or email, don’t click on any links, pictures, or attachments. Delete and block. If you realize your error after clicking a link or attachment, you may get lucky enough to have a confirmation prompt such as “are you sure you want to open the attachment?” and can back out at that point. If you already downloaded an attachment, don’t open it! Delete it and consider running a security scan to ensure no unwanted programs are on your device. Certainly, do not install any applications from an unexpected email. If you receive an email from a provider you recognize suggesting a software update, ignore any links in the email and instead go directly to the provider website or application to download and install any updates. When in doubt, contact the provider through known channels to verify legitimacy and report suspected fraud. Never call phone numbers provided in unexpected or suspicious messages.
Report Phishing Attempts
If you’re at work, there’s a good chance your organization has a protocol in place for reporting suspicious contacts, but at home many people don’t have these same tools. Fortunately, the Federal Trade Commission (FTC) has a few recommendations.6 You can forward suspected phishing emails to the Anti-Phishing Working Group at re************@ap**.org . You can forward suspected phishing text messages to SPAM (7726). You can also report phishing attempts to the FTC at reportfraud.ftc.gov. Reporting helps build a database which can help counter-cybercrime entities be more effective. If you think you may have already been a victim of a phishing attack, check identitytheft.gov for a checklist of action steps. For our clients, please reach out to us and let us know so that we can offer guidance and ensure the security of your accounts. Being the victim of fraud or identity theft can be embarrassing and painful and, although statistics on a lack of reporting are effectively impossible to compile, it is generally understood that fraud and identity theft are underreported. There’s no shame in being a victim. Fraudsters rely on peoples’ hesitance to report to keep doing what they are doing. Acting quickly may help minimize the damage of identity theft.
Take Steps to Prevent Fraud and Identity Theft
While living in a connected world will always present the threat of scammers and fraudsters, there are many things that can be done to improve security online. Set up multi-factor authentication (MFA), sometimes also called two-factor authentication (2FA). This is that annoying process of having to check a text message or authenticator app every time you log in to a website from a new device or location. Although that can be a tedious process, it is more secure and can not only prevent a fraudster from gaining access to an account but can also alert you to potentially compromised login credentials. If you get an MFA text message and you haven’t tried to log in to that website, that might indicate it’s time to change your password for that site. If you don’t like the text message codes, consider using an authenticator app which generates these codes for you and refreshes them regularly all in one location on your phone.
Consider using a password manager. There are many password managers available which provide an encrypted and password-protected vault for all your passwords. While that does mean all your passwords are in one location, you can set up MFA on a password manager for additional security and they offer several benefits. For one, reusing the same password can create a big security risk. If a fraudster gets a hold of your password and starts trying it on other accounts, compromised data can spread quickly. It can be hard to come up with a unique password for hundreds of different websites, but a password manager can randomly generate strong passwords and then “remember” them for you. Some password managers offer additional online security services like anti-tracking services, one-time use card numbers, and security alerts if a registered email shows up in a data dump. Opinions vary amongst security professionals when it comes to password managers, so do some research if you decide to use one.7 If you prefer not to use a password manager, make sure you have good password practices. Use unique login credentials and strong passwords, never tell anyone your username and password, and be careful about if and where you write this information down.
Try to reduce the potential of falling victim to a scam. Unsubscribe from unwanted emails. The less cluttered your inbox, the easier it will be to spot something suspicious. Block suspicious senders and check your email security settings to determine if and how it filters suspected phishing messages. Multi-factor authentication is especially important for email accounts since they can be used for MFA on other sites or to reset passwords. A scammer gaining access to your email can quickly gain access to much more. Set up a call blocker app, report and block unwanted callers. When in doubt, don’t answer the phone. If you do pick up and something feels off, hang up. Consider removing personal information from social media accounts and people search sites. The less your information is out there, the harder it will be for scammers to find your phone number and email address to target in the first place. There are services which will remove your information from data broker and people search sites or you can do it yourself for “free”, but that will cost you time. Consumer Reports provides a handy reference in this article of both the DIY option and paid services. As for social media sites, take the time to review what information you are sharing, remove information you’d rather not share, and check your privacy settings to make sure only confirmed friends and family can see most data.
Is AI to Blame?
Well, no. There is a human somewhere in the chain driving these phishing attempts. However, generative text and image AI and AI-powered voice-cloning software is certainly a tool that cyber-criminals use in their schemes. Think like a fraudster for a moment. Rather than manually creating an image or body of text to try to fool a victim, generative AI can be used to create convincing text with no spelling or grammatical errors. A fraudster can train AI on legitimate emails from the spoofed company to be even more convincing or can refine previously successful emails for greater effect. In fact, Singapore’s Government Technology Agency ran a spear-phishing experiment and found that AI-generated spear-phishing emails were more effective than those written by humans.8 Spear-phishing is a phishing email specifically targeting an individual, think of phishing as throwing out a fishing net and spear-phishing as, well, spear fishing. AI tools can certainly help cybercriminals be more successful, but they can also be used to combat phishing. For instance, machine learning algorithms can be trained on phishing emails and used to recognize them for more efficient filtering. AI can also be used in other security tools to detect machine hijacking and attempt to limit the damage if fraud were to get that far. AI is simply a tool that can be used by criminals and for personal security alike. Unfortunately, it is usually the case that criminals are innovating and creating new ways to exploit vulnerabilities while security services react.
Conclusion
Since cyber-criminals, scammers, and fraudsters are constantly innovating and technology is ever evolving, it is as crucial as ever to take responsibility for our own online security. It is important to practice good security habits, to monitor online accounts, particularly social media which can advertise our personal information, and to keep contact information and security settings up to date so we can be alerted to suspicious activity. Although it isn’t the most exciting subject to read about, or perhaps may cause some anxiety, it is important to stay informed about developments in cybersecurity and fraud. Stay safe out there.
Disclosures
This newsletter may include forward-looking statements. All statements other than statements of historical fact are forward-looking statements (including words such as “believe,” “estimate,” “anticipate,” “may,” “will,” “should,” and “expect”). Although we believe that the expectations reflected in such forward-looking statements are reasonable, we can give no assurance that such expectations will prove to be correct. Various factors could cause actual results or performance to differ materially from those discussed in such forward-looking statements. Views regarding the economy, securities markets or other specialized areas, like all predictors of future events, cannot be guaranteed to be accurate and may result in economic loss to the investor. Investment strategies, philosophies, and allocation are subject to change without prior notice. This newsletter is intended to provide general information only and should not be construed as an offer of specifically tailored individualized advice. While H&R believes the outside data sources cited to be credible, it has not independently verified the correctness of any of their inputs or calculations and, therefore, does not warranty the accuracy of any third-party sources or information.
1 https://aag-it.com/the-latest-phishing-statistics/
2 https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes
3 https://www.reuters.com/article/us-wisconsin-missinggirl-data-idUSKCN1P52BJ
4 https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#recognize
5 https://consumer.ftc.gov/consumer-alerts/2023/05/have-you-been-getting-scammy-text-messages#
6 https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#recognize
7 https://www.tomsguide.com/us/password-manager-pros-cons,news-19018.html
8 https://www.wired.com/story/ai-phishing-emails/