Scams like phishing and smishing aren’t just growing in volume; they’re growing in sophistication. From fake toll bills to customized QR codes, bad actors continue to devise new ways to deceive people. Today’s scams are hyper-personalized, better written and eerily convincing. AI and the massive amount of personal data available today are helping bad actors up their game. Scams are no longer (usually) riddled with some of the old tells, like typos.
That means organizations are under immense pressure to keep up in terms of protection, for both the organization and individuals (customers and employees), in this time where urgency and personalization are being weaponized.
The evolution of smishing and phishing
The earliest recorded phishing attacks date back to the early 1990s, when bad actors targeted AOL users, relying on instant messaging and email to steal passwords and hijack accounts. Smartphones changed the game, giving bad actors a new vehicle – text messages – to use to snag unsuspecting users into clicking on malicious links or providing sensitive information.
Today, smishing is getting more and more effective, and there are more opportunities for bad actors to use this method as an increasing number of legitimate entities (like banks and other businesses) now use texts to communicate with customers.
Not only are there more “hooks,” but AI is also enabling actors to pull off attacks that are context-aware, more personalized and harder to detect for what they are. It used to be much easier to distinguish between real and illegitimate emails and texts; one of the biggest ways was to look for typos, spelling errors, and poor grammar. Fake emails and texts were generic, sloppy and easy to dismiss. AI is helping bad actors overcome the typo issue and move much faster. Coupled with the vast amount of personal data that bad actors can easily access or purchase cheaply, they can create far more personalized and nuanced messages. They can automate targeting based on region or demographics. It’s precision targeting.
How bad actors are prospering from available data
Where are attackers getting all of this data? It comes from a variety of sources. That includes public data sources, such as public records like court filings, parking tickets, and property sales. It also includes information that people regularly overshare on their social media profiles. Additionally, there’s the ever-expanding data broker industry, which sells marketing lists that include all sorts of useful details that bad actors can leverage.
Go a little deeper into the dark web, and there’s a treasure trove of information available, some of it stolen from breaches. That includes things like phone numbers, carriers and device types, which can be linked together, as well as information about past purchases, travel bookings and other transactions.
Not only are they armed with valuable information, but today, opportunities for industry-specific exploitation abound. Just look at the rise of toll and DMV scams. These attacks are effective for several reasons. One is personalization; using real events like recent ticket payments or travel adds legitimacy. Weaponized urgency is also quite successful. Bad actors use immediate deadlines and small payment requests. Bad actors also use psychology to prey on fear of legal trouble and account suspension; they also prey on people’s desires to make problems go away quickly.
As mentioned above, generative AI and other AI tools continue to make these attacks easier and faster to execute.
Creating a stronger, better defense
Old strategies can’t keep up in this era of sophistication. New defenses are needed at both the organizational and individual levels. Organizations need to break down silos to create more effective defensive strategies. One approach that has seen success is moving toward the concept of a fusion center, where the fraud team talks to the cyber threat intelligence (CTI) team and the physical security team, so there’s a more cohesive approach.
This is important because attacks often start as an impersonation of an executive, which leads to direct messaging – and that often winds up in the capacity of the physical security team, because they’re the ones responsible for executive security. Having a separation between these teams leads to disconnects that allow attacks to slip in.
External partnerships can also go a long way toward breaking down silos, such as sharing data between retailers and their banking partners.
Promoting proactive customer education is another aspect of a strong security strategy. Provide consistent scam alerts and real examples so customers can help defeat – rather than become victims of – these schemes. Teach customers how to verify via official channels, and make it easier for them to report potential scams.
For individuals, it’s important to stay savvy, and organizations need to incorporate the above tips into their training for employees, too. Remind them to verify before acting (like checking the sender’s email address before opening the email) and to limit the public sharing of personal information. Train them to use multi-factor authentication (MFA) whenever possible and to maintain a healthy dose of skepticism; if something seems too good to be true, it likely is not.
Defeating today’s threats
Scams like phishing and smishing are growing increasingly sophisticated with the help of not just AI, but the treasure trove of data that’s publicly available today. Modern scams are hyper-personalized and convincing, and scammers are better-equipped than ever to ply their trade. Organizations need new defenses across all systems, including training and awareness for customers and employees. Review your current strategy against the suggestions noted above and adjust as needed to create a more secure digital business environment.
Join our LinkedIn group Information Security Community!
