The golden age of scammers: AI-powered phishing

I'm kind of amazed how slow 'AI phishing' has been to roll out.

The technology for customised text based attacks at scale has been available at least since Llama was open sourced. The tech for custom voice and image based attacks is basically there too with whisper / tortoise and stable diffusion - though clearly more expensive to render. I'm honestly not sure why social networks aren't being leveraged more to target and spoof individuals - especially elderly people.

Tailored attacks impersonating text or voice messages from close contacts and family members should be fairly common, and yet they're not. Robo-calls that carry out a two way conversation convincingly impersonating bank or police officials should be everywhere. Yet the only spam-calls I ever receive are from Indian call centres or static messages using decades old synthesised voice tech.

> Is it your fate now to do due diligence on every email you receive?

Always has been.

Tbh the browser/email client makers are complicit in these phishing attempts for hiding the URLs and the actual email addresses.

Put them back!

Why don’t US phone carriers give their users the ability to block foreign calls terminating in the U.S., at the telephony signaling layer? In almost no case do I ever want to receive a phone call from a foreign country with a spoofed number. Nor do I think anyone in my family wants to either.

This is going to become so much worse

https://news.ycombinator.com/item?id=40942307

Imagine old people getting phone calls from frantic children. They won't know real from fake. Add tech like this to SIM forgery ..and we will devolve from a high trust society to a no trust society.

I expect that with AI, we'll be less able to rely on the heuristic of bad grammar to easily detect phishing. That one flaw gave the phishers away so often, and made it so obvious ...

Artificial Intelligence vs. Actually Indian

On YouTube, I saw a deepfake of Elon Musk asking people to scan a QR code and buy crypto.

using ai might be bringing out some low-effort success but at the end of the day, it is skill issue on our front.

a common heuristic to look out for is "badly"-written/spoken communication. the "AI vs Actual Indian" comment and nigerian prince emails stand out for most people, but they still ended up working well enough to become this wide-spread.

you just need to employ some critical thinking now for most external communication now. it is no different from some highly-motivated scammers doing it the old-fashioned way. at the end of the day, we are trying to replicate the success of some native-speaking teens (https://news.ycombinator.com/item?id=32959001).

I've already experienced two AI-powered phishing attempts personally in the last few weeks. One was pretty transparent, but the other almost got me. I expect we'll all see a lot more of these soon.

> link or attachment that when clicked or downloaded, takes you to a spoofed website or installs malicious software on your device.

Can someone show me a modern OS that would install software by clicking a link?

Hey, just going to say what I've been telling folks IRL, if you are reading this, and your parents and family members aren't tech savvy, you need to set them up with two factor authentication now.

Because you know how to do that, and it's so much easier than helping them when they get hacked.

I want to know, how are you using AI now.

It’s actually worse than that - AI powered phishing sites will also copy your device profile and mouse, gesture and keyboard signature and use this to get past common anti-fraud techniques like device fingerprinting and behavioural biometrics.

The section “Recognizing AI phishing attempts” is mournfully short, but there’s some companies out there like Jericho Security (https://www.jerichosecurity.com) that are working on countermeasures, at least for enterprises.