Beware the cyber Grinches: AI-enabled criminals plot to steal Christmas
Generative AI is being harnessed by cyber criminals to enhance their social engineering efforts, making them more convincing than ever before. According to Doros Hadjizenonos, regional director at cybersecurity specialists Fortinet, this could pose a significant threat during the festive season shopping rush.
The use of free generative AI tools, such as ChatGPT, allows cybercriminals to create phishing emails that appear completely legitimate. Additionally, they have improved their abilities to create highly believable email addresses and replicate corporate branding with impressive graphic design skills. According to Hadjizenonos, the days of easily identifiable malicious emails with poor grammar and low-quality images are now over.
“Thanks to generative AI, you can input your version of a mail and it spits out a perfectly crafted email. You can even prompt the AI to write the mail as if it came from a certain type of person in a particular role, so the risk to users is higher than before. Anyone can be fooled,” he warns.
Phishing is still a highly effective method used to target victims, with the intention of either stealing their money, tricking them into sharing personal information or infecting their devices with malware.
When to beware
The excitement around festive season shopping and holidays adds to the risk posed by well-crafted phishing emails. Cybercriminals take advantage of users’ emotions and create a sense of urgency to trick them into clicking on links or sharing sensitive information.
“For instance, they may send an email that appears to be from a familiar retailer, offering a limited-time special offer or claiming to address a problem with an order. Users are more likely to click on the link in such emails,” says Hadjizenonos.
Tactics cyber criminals use include claiming the victim’s bank account has been compromised, offering incredibly low prices, or claiming to have updates about the victim’s holiday travel plans.
FortiGuard Labs cites a holiday-themed phishing example that takes advantage of people’s interest in the holidays, leading to malware infection and further exploitation. In one, fraudsters disguise the email to look like it came from a jewellery shop in Dubai. The mail asked for prices and availability of jewellery for Christmas and came with attachments containing executable malware.
Hadjizenonos says: “Other scams include fake delivery notifications. Don’t trust these emails or direct messages and don’t share personal information with people asking for it via SMS. If you are expecting a delivery, go directly to the retailer or courier site and track your order there.”
Cybercriminals also use holiday season excitement to misdirect shoppers to fake e-commerce sites, where they can harvest credit card information or simply accept payment for non-existent goods.
“It’s not rocket science to copy a website. You get apps that can download the entire front end of a site, so what shoppers see looks like a legitimate retailer. They need to check the URL carefully, looking for the padlock icon and the HTTPS prefix on the URL.”
Stepping up safety
Caution is crucial, Hadjizenonos says. “If you have any doubts about the legitimacy of digital communications, be extra cautious. Don’t just click on links, or share your ID number or bank account details.”
It is especially crucial to educate children about the dangers of scams and social engineering, he says, emphasising that if children have access to their parent’s credit cards, they can become victims of scams through social media and games.
To be safer online, everyone should have up-to-date security on their devices, connect via secure Wi-Fi networks, and use strong passwords. “It’s important not to repeat passwords,” Hadjizenonos says. “I always recommend using a password manager, which generates a long random password for every site and stores it securely. You only need to remember one strong password to access all your passwords.”
He adds that what people post on social media can also give criminals information to use against them. “For example, if you post that you are excited about an upcoming trip, a criminal could easily target you, claiming to be from the airline and sorting out your tickets.”
To help people understand cyber-attack methods and what to look out for, Fortinet offers free cybersecurity training, which includes broad cybersecurity information made easily understandable.