Protect Your Business: Emerging AI Fraud Tactics

Artificial Intelligence (AI) tools are made widely available to anyone: small businesses, consumers, and bad actors alike. What risks should be on the minds of small business owners and managers? At the top of the list should be highly deceptive social engineering schemes using AI to trick small business employees.

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. You’ve probably seen it attempted in your work email recently. Employees all over the country receive emails that appear to be their boss asking for “help on an urgent project” and providing a phone number.

Businesses have been training employees to protect themselves against these engineering schemes. Still, training may not be keeping pace with the AI-enabled schemes employed by crooks today to convince employees to wire money, buy gift cards with their credit cards, or provide criminals access to their email.

To help protect you, your business, and your employees, here are three ways criminals are enhancing their social engineering with AI.

Boss Deepfakes

Previously, social engineering schemes used authority (an email from a manager), urgency (he needs help now), and incognito communications like email, text, or a phone call to fool employees. AI has changed all that.

“You’re certain you’re in a secure video conference with your boss. You see their face on the screen and hear their voice directing you to make a wire transfer,” writes Fraud.net. “Everything looks legitimate, so you carry out the transaction. You’ve unwittingly transferred millions of dollars to a malicious actor in seconds.”

With social engineering carried out in a deep fake like this, criminals do not need to get inside banking systems – they do not even need to access an account – authorized employees access banking tools and send wires or use credit cards.

Better Phishing

Think back on how you identified a malicious email in the past. What made it obvious? You probably guessed correctly: Spelling errors.

“Generative AI can make traditional phishing attacks – via emails, direct messages, and spurious websites – more realistic by eliminating spelling and grammatical mistakes and adopting convincingly professional writing styles,” writes TechTarget.com. “Large language models (LLMs) can also absorb real-time information from news outlets, corporate websites, and other sources. Incorporating of-the-moment details into phishing emails.”

Bad actors’ messages may now look more legitimate than ever before, even to the point of impersonating banking fraud messages. If your cyber training for employees coaches cognizance of spelling and grammar to identify phishing emails, it may be better to focus elsewhere.

Business Email Compromise

Small businesses rightly focus on protecting their organizations from succumbing to an attack, but criminals can also impersonate you. They’re impersonating legitimate businesses via email with increasing regularity and success. AI allows them to impersonate many companies without learning the industry vernacular for each one.

In May, the Federal Bureau of Investigation’s San Francisco Special Agent in Charge, Robert Tripp, warned all U.S. businesses and consumers: “As technology continues to evolve, so do cybercriminals’ tactics. Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”

One such tactic is business email compromise (BEC), which exploits the fact that most of us rely on email to conduct our personal and professional business. In a BEC scam—also known as email account compromise (EAC)—criminals send an email message that appears to come from a known source, making a legitimate request, like in these examples:

• One of your vendors sends an invoice from an “updated” mailing address
• A company CEO “asks” her assistant to purchase dozens of gift cards to send out as employee rewards.
• A title company “instructs” a homeowner to wire his down payment.

Preventing a successful attack on your business is as much about educating employees as it is about educating customers with up-to-date best practices to protect themselves.

Where To Start?

The FBI’s 2023 Internet Crime report reveals alarming increases in online fraud’s frequency and financial impact. The Bureau’s Internet Crime Complaint Center (IC3) received a record 880,418 complaints with potential losses exceeding $12.5 billion, which is nearly a 10% increase in complaints and a 22% increase in losses compared to 2022.

The most frequently reported crime in 2023 was phishing schemes via email, text, and phone, in which a purportedly legitimate company requested personal, financial, or login credentials. Over 298,000 complaints were filed about phishing schemes last year, which accounted for approximately 34% of all complaints reported.

What does the FBI recommend businesses do to address this threat? Start with the following steps:

• Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Verify payment and purchase requests in person or by calling the person to make sure they are legitimate. You should verify any change in account number or payment procedures with the person making the request.
• Be especially wary if the requestor is pressing you to act quickly.

The FBI published a more extensive resource on protecting your business and customers online here.