Losses soar as phishing scams use text and AI
Scammers are now using texts and AI to steal passwords, accounts and Social Security numbers as the newest methods of an increasingly lucrative fraud practice called “phishing,” the Federal Trade Commission (FTC) reported in a media briefing it presented with EMS.
Ben Davidson, an attorney with the FTC Division of Marketing Practices for over a decade, described phishing as “an attempt to steal the consumer’s information, personal information, financial information, passwords,” often in the form of an email-based attack involving, for example, someone “claiming to be from Microsoft or attaching an invoice.”
Although these text- and AI-based innovations are on the rise, the practice of phishing itself is not new. American hackers coined the term as early as 1996, when it appeared in the hacking newsgroup alt.2600. The word derives — with a “ph” substituted for “f,” in homage to the first form of hacking known as phreaking — from “fishing,” analogizing the scam with the practice of throwing “hooks” into a sea of internet users.
As reported losses rise, these forms are evolving and intensifying, particularly in the case of text-based and AI-enhanced phishing.
Although fraud reports themselves have fallen over the last few years, said Davidson during the Sep. 1 briefing, “the amount that consumers report losing is going up — so there may be fewer frauds, but they’re more harmful and consumers are losing more money.”
Per the FTC’s Consumer Sentinel Network, the first half of 2023 saw 1.1 million fraud reports (compared to over 2 million in 2022), with consumers reporting a total $4.4 billion loss.
The highest losses overall are due to scammers contacting people through social media, by which $658 million was reported lost in the first half of 2023. The highest losses per person owe to scammers contacting people through phone calls, by which a median of $1,400 per reporting person was lost.
The top-reported forms of fraud this year have been imposter SCAMS, with losses to business imposters more than tripling from $196 million in 2020, to $453 million in 2021, to $660 million.
Reports of imposter fraud — in which the scammer claims an affiliation with, say, the government, a company, or a loved one in order to convince the consumer to provide personal or financial information — are over twice as common as online shopping, which is the second-most-reported form, followed by prizes, then investments, then job or business opportunities.
Text and AI-based fraud
The FTC has particularly seen a rise in text-based forms of fraud: in 2022, “text message was the leading contact method for fraud complaints,” Davidson said. “That was the first time we saw that from all the ways that fraudsters contacted consumers.”
Text phishing scams often take one of five forms: bank impersonation (the most popular), free gift texts, fake package delivery, fake job recruitment, and texts purportedly from Amazon.
The most unique and elusive development in the rise of phishing losses, however, has been AI-based fraud, most often in the form of family emergency scams.
In these, said Davidson, the scammer uses AI technology to clone the voice of a victim’s family member with a 30-second sound file (often obtained through social media), and call the victim while impersonating this family member: “‘Hi Grandpa, it’s me. I’m in trouble. I need money.’ They say they’re in jail and need money to be bailed out, or they’re traveling abroad and they lost their passport and need money for a plane ticket. Maybe they’re in a car accident … There’s always an emergency. The skimmer also often says ‘Please don’t tell anyone, my parents will be mad at me’ ‘My spouse will be disappointed.’”
“The consumers we talked to who later realized that the person they were speaking with was a scammer and not a loved one a really jarring experience,” he added.
Although AI-based fraud is often more difficult to spot than other forms due to its efficacy, Davidson recommended that those receiving an emergency call from a loved one use “a challenge question to make sure that the person you’re talking to really is who they say they are. It doesn’t need to be anything as fancy as a password arranged ahead of time. If I asked my wife, tell me something about me and convince me you’re you, it should be easy for her to do: ‘What are our kids’ names?’ ‘Who’s our next door neighbor?’ ‘What did we have for dinner last night?’”
A “false sense of urgency” is common to phishing scams more generally, he continued, and to avoid them he advised that consumers look for grammatical errors or strange phone numbers and emails; ask themselves if they expect financial or personal disaster in lieu of an immediate response; block unwanted messages; use multifactor authentication on all possible accounts; independently verify messages by contacting the company the scammer is impersonating; and report the fraud.
“As a consumer protection lawyer … I see fraud everywhere,” Davidson said. “If there is an extraordinarily urgent and someone calls you and asks for money,” taking these measures and “asking these sorts of questions to make sure you’re talking to the person that they claim is a really good idea.”