This post was last updated on May 23rd, 2023
The nature of spam and phishing attacks are about to change
The last thing we want to hear is that one of our web clients has fallen prey to a phishing attack or online scam. At OlyWeb, we try to educate our clients on what to look out for so they can keep their websites and online data safe. The sad truth though is these attacks are on the rise and are about to become much more sophisticated in their approach.
SlashNext, a leader in cloud and IT cybersecurity, compiled an analysis billions of link-based URLs, emails, email attachments, and mobile and browser channels over six months and found more than 255 million attacks – a 61% increase in the rate of phishing attacks in 2022 compared to the previous year.
With such an increase in attacks as well as the threat of AI and deepfake technology being employed, it’s important as a website owner to be able to anticipate and quickly identify these tactics before you get caught in a scam.
How is phishing different from spam?
NIST (National Institute of Standards and Technology) defines phishing as “A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.”
Spam on the other hand is electronic junk mail. It’s email, text messages, or phone calls sent indiscriminately, unsolicited and in bulk. They’re not personalized to you so they are often more easily spotted. Spam is in essence casting a wide net and seeing who will take the generic bait.
Phishing is a bit more sinister because the person employing the technique has information about you already and usually follows a script or tactic to try to defraud you specifically.
The development of AI and deepfake technology is projected to make all of these attempts more convincing. This poses a threat to all of us whether we consider ourselves savvy to online threats or a novice.
Before we delve into those future possibilities, lets cover some of the scams we see our web clients face most often.
Common Scams Faced by Website Owners
Here are a few common scams we’ve seen clients and even our own staff encounter:
1. “We’ve found malware on your website”:
What it is: A phone call or email with someone saying they found “malware” on your website that needs to be removed immediately. They can even list some accurate information about you or your website. They’ll typically try to get you to divulge login information or try to get you to pay for removal with a pushy, urgent tone.
What you should do: Hang up! Never answer any questions about your accounts or take any actions in response to someone you don’t know. Feel free to reach out to us to confirm the status of your site or accounts at any time.
2. Letters from “Domain Registry” or “Domain Listing”
What it is: A paper letter with a business name like “Domain Registry” or “Domain Listing” as the title. It warns of an “expiration” of your domain or domain listing and offers a way to pay for renewal. It all looks very legitimate and even lists your domain name. If you read the fine print, you’ll see it says something along the lines of “This is not a bill”. There’s other clues like it saying “This is an easy way to switch your domain name registry”. This is a scam!
What you should do: Don’t respond and don’t pay anything. Go directly to your domain name registrar like GoDaddy or Network Solutions to check your domain is current. If you’re not sure where your domain is registered, check with us or your IT contact to verify your domain is current.
3. Emails or calls offering cheap website or SEO services
What it is: Emails or calls offering to “help fix errors on our website” or “help with SEO services” with dramatically discounted rates. Some of these could be legitimate, but many can be scams or just very low-quality vendors.
What you should do: A quick look at the sender can help you spot a scam. If the email or domain is obscure or unrecognizable, don’t respond. You could even research their company online to see if it’s a legitimate business. Whatever you do, never give out personal information to anyone you don’t recognize.
Pro Tip: If you’re not expecting an email or phone call, don’t click and don’t answer!
If you don’t recognize the sender, don’t respond! Never share personal information or click on links or attachments from an unknown source.
If they say they’re a representative of one of your accounts, go directly to that account to check it first.
4. Communications containing links or attachments with malware or viruses
What it is: An email or text that seems legitimate often with a title like “invoice attached” or “voicemail forwarded”. They can even have the name of your organization, your company, or a coworker’s name in the subject or from address.
What you should do: Once again, if you’re not expecting it, don’t click and don’t answer! Double-check the sender’s email or phone number. If it’s not familiar, don’t interact with it. You can reach out to your IT person to check the authenticity of the message.
The Future of Spam: AI and deepfake techniques
What do we mean when we say AI?
The type of AI (Artificial Intelligence) that we’re referring to when talking about spam and phishing is specifically one that uses a Large Language Model to create human-like responses. There are many other types of AI technology but this is currently the most high profile development in AI to date.
The most popular implementation of this type of AI also referred to as “generative” AI is OpenAI‘s ChatGPT. ChatGPT is an AI language model that learns from a large dataset to generate text-based responses. Since its ‘dataset’ was large swaths of the internet, it can create a seemingly endless array of well-worded responses on almost any subject. It’s described as a chat bot as the main way users interface with it is with text prompts that the AI responds to.
Although scammers most likely wouldn’t be able to use ChatGPT specifically for large scale spamming, there are other open-source models that produce similar results and could be customized for nefarious purposes.
What will AI-generated scams look like?
Most scams today are easy to spot as they often have broken sentence structures, garbled or generic messaging, or just inaccurate information. Those days may be numbered as generative AI is employed to aid these attacks.
As reported by WIRED, Singapore’s Government Technology Agency ran an experiment in which they sent targeted phishing emails to 200 recipients. One message was human written and one created by AI. They found more people clicked links in AI-generated messages by a significant margin.
AI has the ability to increase the sophistication and effectiveness of these attempts by leveraging wide-scale machine-learning algorithms to tailor messaging as well as adapt to current events and societal trends. That learning combined with the improvement in natural language generation could make for some very convincing messaging to unsuspecting recipients.
Here are some examples of how AI could be used in scams:
- Spear phishing: AI can be used to analyze a person’s public persona including social media profiles and public records to craft a convincing message. These attempts typically try to get the recipient to divulge sensitive information or take malicious actions.
- Adaptive Spamming: AI algorithms can be created to generate naturally worded emails and then automatically adjust the language and format if any of the messages are blocked by spam filters. It can also learn what messages are most effective and continually optimize its performance.
- Catfishing: AI could be employed to help create a fake persona on a social network with the goal of deceiving a specific person into sending money, divulging sensitive information or other harmful actions.
- Chatbot interactions: these could come in the form of a text or email that once responded to answers in a human-like voice although it’s an AI generated response. This can make mass spam texts and emails easier to implement to reach a larger audience and defraud more people.
What is a deepfake?
A deepfake is when someone uses technology to create a voice or video emulation of another person with the intent to deceive. Although most recent examples have been for entertainment value, the technology has the capability of truly misleading people on a mass scale in the future.
Although not commonly used in spam or phishing yet, this type of scam is projected to become more prevalent over the next 5 to 10 years.
How could deepfakes be used in spam or phishing attempts?
In December 2022, CBC News reports, a family in Canada fell prey to a deepfake phone scam. The scam used an emulation of their son’s voice to defraud the family of $10,000. The emulated voice said he was in jail and the only way out was posting bail to a “court representative”. The family was frantic and paid the money only to find out it was an elaborate plot to extort money.
Using online video or audio of a loved one, friend, or work associate, they could develop a convincing voice or video emulation that could be highly effective on the unsuspecting. They would typically use an urgent tone to keep them from questioning the scenario. This could be used to extort money or get the recipient to share personal information.
Experts project this technology will become easier for scammers to use over the next few years. Although this may seem outlandish, everyone should be prepared for the possibility it could become a reality in the next few years.
How should you respond if you think you could be the recipient of spam or a phishing attempt?
Confirm the source. If something feels off about a call, text message, or email, take the time to verify that they’re really who they say they are. Pause the communication and then contact the person they say they are directly at their known number or email.
Don’t respond. Don’t be pressured to take actions that could cause you or others harm especially if something feels off about a communication. Always take the time to verify the source.
We hope this overview of common scams, phishing attempts, and developing technologies helps you navigate this ever-changing online terrain. Although some of these scenarios may seem far-fetched it’s important to keep yourself and those close to you informed so they don’t fall prey to any of these tactics.