Toll-charge scam, five AI threats, CISA impersonation and reducing spam messages

Fraudsters pose as employees of toll road agencies and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to steal money and personal information from unsuspecting consumers. Also in this column, the author details how artificial intelligence is making it easier to commit cyberfraud, and how consumers can reduce the number of spam emails in their inboxes.

John Johnson received a text message demanding payment for overdue driving toll charges. He thought the message was legitimate because he routinely crossed a toll bridge on his way to work, so he clicked on a link and paid the amount with his credit card. But after he saw numerous unexplained charges on his credit card statement, he immediately called Visa, and the company dropped the charges. He was a victim of the “overdue toll charge” scam. The case is fictional, but it’s representative of this type of fraud.

Most of us have paid fees to use toll roads or bridges. In this scam, fraudsters impersonate employees from tolling agencies to send text messages to drivers saying they need to pay delinquent charges. The scammers tell victims to click on links to pay and avoid late fees. But, of course, those clicks can lead to phishing attacks that will steal personally identifiable information (PII), such as driver’s license numbers and credit card numbers — and even money and identities. [See “How to Recognize and Avoid Phishing Scams,” U.S. Federal Trade Commission (FTC).]

The FTC has this advice:

• Slow down. Don’t rush to click on links or respond to the text. Scammers want you to react quickly when they send you an unexpected text message, but it’s best to stop and check it out.
• Check with the tolling agency. If you’re worried the text isn’t legit, check with the state’s tolling agency. But use a phone number or website that you know is real — not the info from the text.
• Report unwanted text messages. Use your phone’s “report junk” option to report these unwanted texts to your messaging app or forward them to 7726 (SPAM). (See “How To Report Spam Text Messages,” FTC, July 2022.)
• Don’t engage. Delete the message. Share this information with those you know. And if you spot a text scam, the FTC wants to hear about it. Go to ReportFraud.ftc.gov and tell your story. (See “That text about overdue toll charges is probably a scam,” by Andrew Rayo, FTC, May 8, 2024.)

Five artificial intelligence threats

Many organizations are using artificial intelligence (AI) technology to become more efficient and profitable. Major financial organizations are funding upstart companies to create more AI models. Of course, cyber criminals are also using sophisticated, powerful tools to enhance their malicious schemes and develop new ones.

Callie Guenther, senior manager of threat research at Critical Start, a cybersecurity company in Plano, Texas, provides five leading AI threats in a June SC Media article:

• Automated phishing attacks. Traditionally, phishing has relied on a “spray-and-pray” approach, with cyberfraudsters sending large volumes of emails in the hopes that at least one recipient will take the bait. But now, with AI, fraudsters can be more precise with their phishing schemes. According to Guenther, algorithms can analyze social media profiles, public databases and previous communication patterns to craft personalized phishing messages. Instead of mass volumes of emails, cyberfraudsters can be surgical in their approach with emails designed to bypass security measures and exploit human trust.
• AI-powered malware. Just as AI can transform the garden-variety phishing email into a highly personalized ploy for PII, AI is transforming malware into something even more malicious. According to Guenther, AI-driven malware can adapt its behavior based on the environment it infects so it’s much harder to detect and remove. With AI, malware can constantly change its code to evade signature-based detection methods. Malware now has the potential to be highly adaptable, meaning it will remain hidden — and more effective — for a longer period of time. Guenther also warns in the SC Media article that cyberfraudsters can use AI to automate malware, allowing for a rapid development of new variants.
• Deepfake technology. Cyber criminals are already using AI to create deepfakes — hyper-realistic (but fake) images, video and audio that are so convincing that it’s difficult to distinguish between what’s real and what’s fraudulent. (See “The flawless fraud of real-time deepfakes,” by Carolyn Conn, Ph.D., CFE, and Zachary M. Kelley, Fraud Magazine, July/August 2024.) Fraudsters can use them to impersonate individuals, such as an employee receiving a video call from what they think is their CEO, who will then deceive the employee into transferring funds or sharing sensitive information.
• Reconnaissance via AI. Cyber attackers can use AI to quickly search through massive amounts of data to identify an organization’s potential vulnerabilities. It can also assist them in analyzing user behaviors, website traffic patterns and system configurations to enhance their reconnaissance activities.
• DDoS attacks. In Distributed-Denial-of-Service (DDoS) attacks, cyberfraudsters overwhelm and exploit their targets’ systems with fake internet traffic. According to Guenther, AI systems make DDoS attacks far more resilient and more difficult to fight. Guenther explains that AI can adjust a DDoS attack’s patterns based on responses from the targeted system, “effectively learning in real-time to maximize disruption.” Fraud fighters will need to employ advanced defensive measures to counteract this level of sophisticated attack. (See “Five AI-based threats security pros need to understand,” by Callie Guenther, SC Media, June 5, 2024.)

As Guenther writes in the SC Media article, traditional methods of defense are becoming obsolete as cyberfraudsters become more adept at leveraging AI for their attacks and the technology itself becomes even more sophisticated. “The dynamic nature of AI-driven threats requires a paradigm shift in how we approach cybersecurity,” says Guenther. (See “Five AI-based threats security pros need to understand.”)

Phone scammers impersonate CISA employees

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that fraudsters are impersonating agency employees to steal money and other financial resources from individuals.

Fraudsters commonly use impersonation scams to steal PII and monetary resources. Government agencies and their employees are often targeted, but this is the first report of the impersonation of CISA employees.

CISA says that its staff “will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards, and will never instruct you to keep the discussion secret.” If you’re a victim of a CISA impersonation, do the following:

• Don’t pay the caller.
• Note the phone number.
• Hang up immediately.
• Validate the contact by calling CISA at 844-SAY-CISA (844-729-2472) or report it to law enforcement.

(See “Phone Scammers Impersonating CISA Employees,” CISA, June 18, 2024.)

Fraudulent spam messages

For years, you’ve received annoying spam texts and emails. Of course, as always, the fraudsters’ goal is to snatch your financial resources and PII by convincing you to click on malicious links. The FTC recommends the following actions to reduce spam messages and avoid possible scams:

• Use filters. Your mobile phone probably has options to filter and block texts from unknown senders. Some wireless providers and call-blocking apps can also help block unwanted messages. Many popular email providers (like Gmail) have strong spam filters turned on by default. But if any spam gets into your inbox, mark it as spam or junk.
• Protect your PII. Before you enter personal information on a website, email or text chain, ask yourself: Why do they need this information? And what’s going to happen to it? Of course, never share your Social Security number with someone who contacts you.
• Unsubscribe from unwanted emails. Getting fewer unwanted emails helps you avoid clicking on links that can lead to phishing attacks.
• Report unwanted messages. Unwanted messages often lead to scams. Report them. Use your phone’s “report junk” option or forward unwanted texts to 7726 (SPAM) and unwanted emails to your email provider.

(See “Let’s talk about spam texts and emails,” by Andrew Rayo, FTC, May 6, 2024.)

I’m here to help

Please use this information in your outreach programs and among your family members, friends and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at Central Washington University. He’s the vice president of the ACFE’s Pacific Northwest Chapter, and serves on the ACFE Advisory Council, the ACFE Editorial Advisory Committee, and the ACFE’s inaugural CFE Exam Content Development Committee. In 2005, he received the ACFE’s Outstanding Achievement in Accounting award in and the ACFE’s Educator of the Year award in 2006. Holtfreter was the recipient of the ACFE Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.