Scam Trends and Recent Evolutions

Cybercrime is rapidly evolving. From ransomware to phishing , criminals are leveraging AI and treating their operations like businesses. Defenders and security pros work hard to adapt. But it’s an arms race. Attackers keep intensifying their attacks. And latest scam trends show how easy it is for anyone, even professionals, to get caught. See The Global Scam Battle with Dave Bittner for a complete transcript of the Easy Prey podcast episode. Most people who know Dave Bittner know him as the host of the CyberWire Daily podcast, a podcast that talks about cybersecurity five days a week. The idea is that if cybersecurity professionals listen to it every day, they’ll know the basics of what they need going into work. They won’t necessarily have details, but at least the general awareness to be informed. Dave also hosts other podcasts, including Hacking Humans, Caveat, and Research Saturday. Dave’s background is in media and theater. About ten years ago, he got a job with a cybersecurity company that published CyberWire as a daily email news brief. He was the in-house video guy, but he suggested doing a podcast version. It took off, and eventually spun into its own company. Dave isn’t a cybersecurity practitioner himself, but he dabbled in phone phreaking as a teen and did some security stuff when he owned his own media production company. He came in with an average amount of knowledge. But hosting a daily cybersecurity podcast led him to learning and understanding a lot more. The biggest change Dave has seen in cybercrime and cybersecurity over the last decade has been AI. The development of AI is a once-in-a-lifetime event. He’s not sure where it’s going to end up, but it has changed things for both criminals and defenders. I don’t think it’s exaggerating to say that the introduction of a large language model artificial intelligence is a once-in-a-lifetime event. In the past, one of the common tells for phishing emails was bad grammar. Now, ChatGPT can proofread anything into perfect American English. It’s taken away some of those common tells, and also allows scammers to customize scams at scale. Defenders are using AI tools, too. It’s much more effective at scanning emails for scams and fraud. Run-of-the-mill email spam is pretty much solved now. It’s rare to get a genuine spam email in your inbox anymore—they’re all sorted into your junk folder. Hopefully we’re heading that way with scams and phishing, too. AI has such a big impact on scam trends because it takes away so many of the telltale signs. Grammar issues, incorrect logos, weird formatting, even corporate voice can now be replicated by AI. There’s now a general paranoia about where emails are from. The Nigerian Prince scam probably isn’t going anywhere, but it’s not going to be a major player anymore. Now scams are more carefully crafted and targeted. Ransomware and crypto mining came up at about the same time. A lot of people in cybersecurity thought ransomware was going to fade and crypto mining would be the big threat. Crypto mining is practically a victimless crime – the malware runs at night while you’re asleep and mines crypto, you probably won’t notice, it’s not using that much electricity, and it won’t hurt you. But the opposite happened. Ransomware went from a nuisance asking for $50 or $100 to hitting big businesses for millions. Not a lot of people looking at cybercrime and scam trends would have predicted that one. Ransomware operators run it like a business. They have HR and tech support. Most of the organizations have some kind of integrity – they know that if they don’t keep their word, nobody will bother to pay. The ransomware operators are running like businesses … they literally have tech support. It’s going to be interesting to see how ransomware plays out. We are seeing more legislation around the world saying organizations have to report if they paid the ransom. We’re not seeing much in terms of banning payments yet. Some people think we should, because the payments are funding North Korea and Russian criminals. But banning payments will still result in many people paying under the table, through a foreign subsidiary, or through a third party. There have already been cases where cyber insurance pays the fee, the business pays the insurance company, and they never admit to an attack. This also means insurance companies have more stringent requirements for security to get cyber insurance, which is good for everyone. One of the big scam trends Dave is seeing right now is unpaid traffic tolls. They often come through text, and tell you to pay the toll right away or your license will be suspended. It’s happening nationwide, and the texts are relentless. Scam texts are also getting more subtle. Dave’s wife got one claiming there was an issue with her Amazon account and she needed to log in and change some settings. Instead of “if you don’t pay right now, bad things will happen,” the request is a more reasonable “please log in and do this.” They use that to harvest your login credentials, which they either sell or use to access your account. Many of us are aware that fear and urgency are red flags. But when the request seems less urgent and more reasonable, we’re more likely to act. Some of these scams even claim that the changes are to better secure your account. Scammers have gone from the joke of a guy in his mom’s basement to practically businesses. They’re run like businesses, always fine-tuning their business practices, working to make their operation more efficient and successful, and things that all ordinary businesses do. It’s a global industry. The difference is that their product is theft. It may not be a new trend in scams and fraud, but romance scams are still happening, too. They happen a lot on social media, especially Facebook. Facebook is not very effective at blocking scams on its platform. Dave recently got a friend request from a “veteran” with twelve friends and a handful of posts that were all inspirational quotes. He’s not sure why they targeted him, since military romance scams usually target women. His sister gets them by the handful every day. When scammers get victims on the phone, especially if the victim is elderly, they can be more aggressive. It happened to Dave’s mother. He happened to drop by for a visit when she was on the phone, and he was able to intervene. When scammers get people on the phone, they convince them to go to the store to buy gift cards to go tot eh bank to transfer money. On the bank scam end, a recent trend has been the scammers claiming that they’re from bank security and they need to go to the bank and transfer money. The catch is that the bank tellers are in on the scam, so the victim can’t tell them what’s really happening. They ask if they have AirPods or an in-ear headset to keep them on the line while coaching them through the interaction. Bank tellers and store cashiers are now trained to look for these kinds of suspicious transactions. Scammers have had to up their game. Manipulating people like that is despicable. Once people are bullied into believing that initial story, it’s hard to see the logical inconsistencies. If the people at the branch are in on the fraud, why wouldn’t the security team have them arrested first? And why would you want to keep your money there? But they are good at telling stories and have all sorts of manipulation techniques up their sleeves. People can lose their life savings to these scams. Dave has himself been a scam victim multiple times. But he has made the deliberate decision not to go through life being cynical and not trusting people. Sometimes that’s challenging. Everyone has days when they want to be cynical. But he would rather be scammed occasionally than go through life considering every interaction to be potentially suspicious. That is a choice that he’s made. There are probably people out there who would say he’s a fool for it. But he’s okay with that. I would rather occasionally be scammed or lose some money rather than go through life considering every encounter I have with someone to be suspicious. Nobody is immune. It can happen to anyone, and you’re not stupid, lazy, or ignorant if you get caught. Every now and then, they’re going to get you. It’s like catching a cold. You can take every precaution and sanitize everything, and you’re still going to get sick at least once. It’s just part of life. Scammers are going to get you every once in a while. Unfortunately, that’s also part of life. Every now and then, [scammers] are going to get you. … It’s just part of life. The first one happened about fifteen years ago. Dave was sitting in his backyard with his phone when he got a Facebook message from a close friend. The message said, “Hey Dave, did you see this video you’re in?” and included a link. Dave wasn’t aware of the video, so he clicked the link. It took him to a Facebook login page, and he entered his login info. But it wasn’t Facebook – it was a fake website harvesting credentials. His friend’s Facebook account was hacked, and the scammers were using it to target other people. Luckily, Dave quickly realized what was going on, changed his password, and secured his account. But he still felt stupid. It was a horrible feeling. Dave may have been more susceptible to that particular scam because of his background. He had a history in theater and sometimes volunteered as MC for fundraisers and charity events. The message made him think there was a blooper video or something embarrassing got filmed through one of those events. It wasn’t particularly out of the ordinary. The message itself was very nondescript. Dave’s own imagination filled in the rest. That’s how scammers operate. They put out something vague and let you fill in the gaps yourself. When people in the security industry fall for scams, they almost always say it’s because it fit with their expectations. They interacted with a compromised account of a family member thinking it was them, or fall for a customs scam when they ordered an international package. Everyone is susceptible to a scam when it aligns with what’s going on in our lives. That’s what [scammers] do. They let you fill in the gaps and take advantage of your mind and your insecurities. Not every scammer hides behind a computer screen. Some are perfectly willing to show up to your door or otherwise show their face. In Dave’s case, he got caught by one on a highway exit ramp. He was on his way home, and as he exited the highway, he saw a car on the side of the exit ramp with a man next to it, waving his arms like he needed help. Dave pulled over to see if he could help. The man said he had run out of gas and needed some money. He offered jewelry as collateral. Dave declined the jewelry, but offered to drive the man to a gas station, get him some gas, and drive him back. The man said his wife and kids were in the car and he couldn’t leave them. Every solution Dave offered, the man had an excuse for why it wouldn’t work. Eventually, Dave gave him a few bucks and continued home. Less than a day later, he saw a news story from the state police about scammers on exit ramps tricking people into giving them money for gas. Dave had fallen for it. But he viewed it as the price he paid for not being cynical. It was a relatively low cost. He’d lost a few cups of coffee, not his life savings. To him, it was reasonable to tolerate. AI is going to be a huge influence on future scam trends. There’s something called a treasure box scam, where the scammer’s story is that they have something of value, and they offer to share it with you if you can help free it from something that’s keeping this person from having it. These scams go back to the age of pirates. They’re hundreds of years old, but scammers are still using them. What we’re going to see is those scams that work evolve with AI. AI tools will make it easier to create these scams, and also probably make them more effective. Most of what we’ll see [in future scams] is the evolution of things that work. I think AI will make it easier for those things to be more effective. Dave hopes that someday we can all have an AI agent watching over our shoulders and protecting us. If we try to transfer a lot of money or give a stranger access to our computer or our bank account, for example, the AI can look into it more and ask if you really want to do that. It would be great if these tools could be used to protect vulnerable people and make it harder to get what they want. Learn more about Dave Bittner, CyberWire Daily, and Dave’s other podcasts at thecyberwire.com .