Phishers use AI to bypass email security, fake life insurance policy scams and more

If you think businesses and individuals are now immune to phishing attacks, you’re dangerously wrong. A new Cloudflare report says that email is still the primary initial attack vector for cybersecurity incidents. Why? Because despite years of corporate in-house education, we load emails with vast amounts of trade secrets, personally identifiable information (PII), financial data and other sensitive matters. And users continue to click on links they should ignore. Plus, fraudsters now, of course, are using artificial intelligence (AI) to bypass email security systems. (See “Introducing Cloudflare’s 2023 phishing threats report,” by Elaine Dzuba and Juliette Cash, Cloudflare, Aug. 16, 2023.)

According to the Cloudflare report:

• Attackers use links as the No. 1 phishing tactic and are evolving how they get you to click and when they weaponize the link.
• Identity deception takes multiple forms and can easily bypass email authentication standards.
• Attackers may pretend to be hundreds of different organizations, but they primarily impersonate the entities we trust and need to get our work done.

The FBI’s Internet Crime Complaint Center (IC3) 2022 report on business email compromise (BEC) says that U.S. organizations lost more than $17 billion to BEC schemes between October 2013 and December 2022. Global businesses counted losses of nearly $51 billion for the same period, according to reports the IC3 received from organizations. (Also see “Analysis: Social Engineering Drives BEC Losses to $50B Globally,” by Elizabeth Montalbano, Dark Reading, June 13, 2023.)

Phishing threatens not just Fortune 500 and global companies but also small and local organizations as well as the public sector. (See “30% of phishing threats involve newly registered domains,” Help Net Security, Aug. 18, 2023.)

Phishing fraudsters have two goals: achieve authenticity and legitimacy in the eyes of the victim and persuade victims to engage or click. The first goal involves marketing promotions in which fraudsters impersonate trustworthy entities in emails, such as the Internal Revenue Service, to gain users’ attention.

The second goal, of course, is to trick victims into directly supplying PII. Or fraudsters steal PII indirectly after victims click on links that take them to malicious sites. Fraudsters also steal PII after victims click on links that download malware on their devices.

“Phishing is an epidemic that has permeated into the farthest corners of the internet, preying on trust, and victimizing everyone from CEOs to government officials to the everyday consumer,” according to Matthew Prince, CEO of Cloudflare. The Cloudflare report said malicious links were the No. 1 threat category, comprising 35.6% of detected threats.

Study respondents said attackers posed as more than 1,000 different organizations in over 1 billion brand impersonation attempts. They impersonated one of 20 well-known brands 51.7% of the time. Microsoft was the most impersonated brand. Others were the World Health Organization, Google, SpaceX, Salesforce and Apple. Also 89% of unwanted messages passed email authentication checks.

Cybercriminals use AI to bypass email security

AI has elevated the phishing game to new heights. According to an August report from Perception Point and Osterman Research (PPOR), 91% of organizations have experienced AI-enhanced email attacks, and 84% expect continued use of AI to circumvent existing security systems.

The findings of the PPOR study indicated that while cybercriminals are using generative artificial intelligence (GenAI) to fuel their complicated email threats like phishing and business email compromise attacks, organizations are fighting back by using AI as an important part of their email security systems. The study’s respondents who ranked AI as “extremely important” to their email defenses increased by more than four times in the year before August. Almost all organizations said they expect AI to be moderately or extremely important to their email defenses. Nearly four out of five respondents in the PPOR study rated the “thinking and dealing with email security risks” as a top three priority compared to other risk and security strategies. (See “Cybercriminals turn to AI to bypass modern email security measures,” Help Net Security, Aug. 23, 2023.)

Organizations are now using large language models (LLM) and generative AI platforms, such as ChatGPT, to develop strategies to strengthen their email security systems.

Here are additional findings of the PPOR study:

• Traditional email security approaches have proven less effective over time: 96.9% of respondents implemented AI-enabled email security because their traditional defenses were ineffective against emergent threats.
• AI-powered security isn’t just for email: Buyers of AI-enabled email security want the ability to better protect other communication and collaboration apps with AI, such as Microsoft Teams, SharePoint, OneDrive, Zoom, Slack, Salesforce and more.
• AI-enabled detection without responsive mitigation is misguided: Strengthening capabilities for detecting threats in email via AI is an essential first step, but it can’t end there. Organizations must train cybersecurity professionals and security operations centers’ teams to respond quickly and effectively to identified incidents, leveraging the best of what AI brings to the table.

Because employees are the weakest links and the last lines of defense in cybersecurity, organizations should provide regular training not only in the advances in AI platforms like ChatGPT but also in being able to detect and prevent threats like phishing and BEC.

Fake life insurance policy scam

Potential victims in Korean, Vietnamese and Latino communities are receiving official-looking letters from someone purporting to be a Canadian lawyer. The purpose of the letter is to scam individuals out of their PII, which will be used for identity theft purposes and money. He writes that they can share in the proceeds of a deceased client’s unclaimed life insurance policy worth millions of dollars. Because the recipients supposedly have the same last name and nationality as the deceased, the author of the letter can add their names to the policy and split the money between the potential victims, their law firm and charities. The victims have to email the scammer immediately and keep everything secret. If they respond, the “lawyer” will require money or PII, or both. [See “Did you get a letter from a ‘lawyer’ about cashing in on someone else’s life insurance policy?” by Sung W. Kim, Federal Trade Commission (FTC), Aug. 18, 2023.]

The FTC offers advice if you receive one of these letters:

• Don’t respond. Never share your information with someone who contacts you and says they need it. And never send anyone cash or pay with gift cards, wire transfers or cryptocurrency.
• Share this information with a friend. You probably throw away these kinds of letters. But you may know someone who could use a friendly reminder to help them spot the scam.
• Report it to ReportFraud.ftc.gov. Your report makes a difference. You help others avoid the scam by telling your story to the FTC and others in your community.

Unordered COVID-19 tests

After May 11, when the U.S. federal government officially ended the COVID-19 Health Emergency, Medicare and other health insurance ceased payment for many at-home, over-the-counter COVID tests. Scammers, who’ve stolen Medicare recipients’ PII, began sending unordered COVID tests with bills. (See “Got COVID-19 tests you didn’t order? Don’t pay,” by Ari Lazarus, FTC Consumer Advice, Aug. 9, 2023.)

The FTC recommends:

• Don’t pay the invoices. By law, companies can’t send you things you didn’t order and then demand payment. You never have to pay for things you didn’t order. You’re legally entitled to keep it. If you get a bill like this, report it at ReportFraud.ftc.gov.
• Check your Medicare Summary Notices and Explanations of Benefits to see if your account was billed.
• If you suspect Medicare fraud, call your health care provider or Medicare plan and ask for an explanation. If you aren’t satisfied with their response, call your local Senior Medicare Patrol for help filing a report or call Medicare at 1-800-MEDICARE.
• Report Medicare fraud to the Health and Human Services Office of Inspector General online or at 1-800-HHS-TIPS (1-800-447-8477).

I’m here to help

Please use information about these scams in your outreach programs and among your family members, friends and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at Central Washington University. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization, and a member of the White Collar Crime Research Consortium Advisory Council. He’s also the vice president of the ACFE’s Pacific Northwest Chapter and serves on the ACFE Advisory Council and the Editorial Advisory Committee, and he was recently selected to serve on the ACFE’s inaugural CFE Exam Content Development Committee. Contact him at doctorh007@gmail.com.