There’s a New and Potentially More Dangerous Arrow in Cupid’s QuiverJulia Weifenbach
It’s Valentine’s Day and love is in the air. Flowers, candy, cards and dinner are some of the classic ways we show our love on this day. But as an increasing number of people look for love online, it’s a good time for a reminder that more people lose more money in online romance scams than in any other fraud category. According to the FBI, over the past five years $1.3 billion in losses have been reported, with annual losses skyrocketing since the pandemic.
There are lots of places cyber criminals lurk to lure people into romance scams and the consequences are often financially and emotionally devastating. Often, they start on dating sites or apps. But more than a third of people who reported losing money say they fell for a “romance” that started on social media. With the release of ChatGPT to the public late last year, now we can expect the emergence of online “love letters” in the form of posts and phishing emails that are even more convincing.
Researchers have already found evidence of cyber criminals abusing ChatGPT capabilities for fraudulent activities, including creating and selling fake content, standing up Dark Web marketplaces to sell illegal or stolen goods, and recreating malware strains and encryption tools. We already know that scammers use social engineering to tailor their messages to specific targets. But often their social media posts and emails include telltale signs that have you doubting the authenticity – misspellings, poor grammar, and awkward phrases.
ChatGPT eliminates those problems through the use of machine learning and AI and levels the playing field for cyber criminals with poor writing skills. As discussed in our 2023 predictions blog, with ChatGPT it’s fairly easy to generate accurate, conversational emails and messages that fool humans and evade straightforward spam filters. It’s not a stretch to think that bad actors could use the tool to refine their phishing scams and make them appear more authentic and engage in realistic dialogue.
Once they have gained the target’s trust, cyber criminals go after financial gains. They may attempt to trick their target into clicking on a website because they want to share something with them, only the website includes malware. They may ask for personal information under the ruse that they are sending their “love interest” a surprise. Or they may ask for money or a gift card to cover expenses to come for a visit.
So, what can we do to make Valentine’s Day less sweet for threat actors? While relying on spelling and grammatical mistakes to tip us off won’t be as effective if the threat actor is using ChatGPT to craft their message, many of the other traditional techniques for detecting phishing emails hold true:
- Instead of rushing through emails, be mindful of what you are receiving and from whom and think before you click.
- Hover over the email address or links to see if they resemble legitimate addresses.
- If in doubt as to the legitimacy of an email, don’t click on any links and delete it.
- Never respond to an email, text or call with your personal data.
- Be wary if a relationship seems to be moving too fast as scammers often try to create a sense of urgency.
- Just because an interaction progresses to the phone, doesn’t mean the relationship is legitimate. This is often a follow-on technique to try to gain more trust and exert more pressure.
- Refuse requests for gift cards. There are no legitimate reasons to give someone else a gift card as part of any legitimate transaction, especially someone you don’t really know. Unlike credit cards, gift cards are easy to acquire, have no consumer protection and are impossible to trace, so you can’t get your money back.
- Take advantage of resources from government agencies and reliable security publications to educate yourself on what to watch for and what to do if you suspect a scam or have already fallen victim.
Threat actors are getting more and more crafty, and their pool of victims continues to expand with our level of online activity. Help spread the word to coworkers, family and friends of the heightened risk from phishing scams and how to avoid falling victim, not just on Valentine’s Day, but every day.