Illustration of a person pointing at a screen with a digital replica of himself. White text above the illustration says "Cybersecurity Awareness Month"

The Emerging Threat of AI in Cyber Scams

From fake faces to mimicked voices, scammers are growing more sophisticated in their attempts to steal sensitive data. We spoke with BECU Senior Vice President and Chief Information Security Officer Sean Murphy to learn about these threats.

If the boss calls and asks for an urgent transfer of funds, most people probably wouldn't question it. But what if it's not really your boss? What if it's a digital impersonation of your boss created by scammers?

It sounds like the stuff of science fiction, but that's exactly what happened in 2019: Scammers digitally stitched together a voice that sounded so much like a company's chief executive that it was able to convince another company executive to transfer $243,000 to the scammers' account, according to a report by The Wall Street Journal.

Investigators believe the scammers captured voice data, which they used to train artificial intelligence software that created the voice.

The article describes the attack as "unusual," but Sean Murphy, a Senior Vice President and the Chief Information Security Officer for BECU, said they could become more common as technology evolves.

"Scammers could get to the point where the AI could interact, on a very limited basis, with a call center, providing your name, address and other basic information," Murphy said.

When in doubt, Murphy said to hang up, independently look up the company phone number, and call back.

AI Used for More Effective Scams

The technology extends beyond voice impersonations. Fake images of people who don't exist are used to create false social media profiles, and "deep fake" videos can be manipulated to show real people doing things they didn't do.

Sean Murphy
Sean Murphy, BECU Senior Vice President and Chief Information Security Officer

Murphy said it's all an effort to increase the efficiency and effectiveness of what cybersecurity professionals refer to as social engineering: The AI finds patterns in your behavior that make it easier for the scammer to target you and convince you to give them access to personal information.

"The most likely way credit union members are at risk is someone trying to get your credentials, like your password or any challenge question information," Murphy said. "They might also use that information to pretend to be a member and try to get someone from our team to give them account access."

Playing Defense and Offense

Talking about cyber scams might make AI sound scary, but Murphy said it's important to remember that legitimate organizations use it for positive purposes, too.

"AI can be both good and bad," he said. "From a cybersecurity perspective, we're using AI to help us develop tools and techniques to protect our own systems. We find patterns and create defenses that are more predictive and proactive, rather than being reactive."

Murphy said many organizations use AI to teach their computers to detect when other computers are trying to penetrate their cybersecurity measures.

"Sometimes we just see feelers," Murphy said. "The scammers' computers will attempt credential attacks. They might not really be trying to break in. They're just trying to see if they have credentials for any valid accounts."

Basic Scams Still Rule

As interesting as AI driven scams are, Murphy said most people are more likely to encounter basic attacks, like password phishing emails, text messages and spoofed websites, where scammers are trying to convince them to give up their login information.

"I hope people don't worry so much about highly technical, sensational attacks that they look past basic attacks that are far more common." Murphy said. "AI is far more present in nations going after other nations' critical infrastructure."

If people want to protect themselves most effectively, Murphy advises learning and practicing the basics of cybersecurity.

"A healthy dose of skepticism is good," he said. "Just take an extra second to look for red flags."

Tips To Protect Yourself

Follow these tips to protect your personal data and your finances:

  • Never give passwords or authentication codes to callers.
  • Look carefully at the email address of any sender asking you for information. Make sure it's spelled correctly. Mouse over the email to make sure the address that pops up is the same as the email address you see in the sender field.
  • Assume that if a prize or deal is too good to be true, it probably is.
  • Pause when confronted with any deal, prize or threat of a discontinued service that requires urgent action. Most reputable companies will give plenty of time to communicate a special offer or discount, and they won't ask you to log in and provide your account number.
  • Don't click links in text messages to respond to fraud alerts.