How criminals could use AI to scam Britons - and what can you do to protect yourself
Dozens of people worldwide were arrested in April, accused of using the platform Labhost to commit scams.
For a monthly subscription fee, Labhost granted criminals access to malware to help them commit attacks against individuals and organisations, a practice often labelled ‘cybercrime-as-a-service’.
One tool, LabRat, allowed scammers to monitor and control phishing attacks in real time and capture advanced security measures, such as two-factor authentication codes and credentials.
Subscribers could also create web pages mirroring those of major brands – anything from banks to healthcare providers – that could deceive people into handing over sensitive information.
Bad tools: For a monthly subscription fee, Labhost granted criminals access to malware to help them commit attacks against individuals and organisations
Police said the platform led to criminals stealing 480,000 credit cards, 64,000 PIN codes, and over 1 million passwords.
An estimated 70,000 Britons fell victim to Labhost’s tricks, but similar platforms have conned countless others.
Such numbers could continue rising as artificial intelligence develops and provides more sophisticated methods for digital thieves.
Why UK consumers are vulnerable to AI-enabled fraud
Phil Rolfe, a financial crime expert at consultancy Valcon, says the UK is particularly vulnerable to AI-related fraud for two key reasons.
Firstly, the English language – as it is so widely spoken. Secondly, Britain is a wealthy country full of people with significant savings and investments.
Statistics on AI-enabled fraud are hard to come by, but fraud itself has been soaring for some years, partly since the Covid-19 pandemic led to people spending more time on their computers.
Overall fraud offences across England and Wales jumped by 46 per cent to 465,894 in the year ending June 2023, according to banking regulator UK Finance.
Here are a few ways criminals use AI for financially nefarious purposes.
Growing threat: Overall fraud offences across England and Wales jumped by 46 per cent to 465,894 in the year ending June 2023, according to banking regulator UK Finance
Phishing
A term originally coined by hackers, phishing involves con artists sending emails or texts with links to malicious websites that, once clicked on, download a computer virus or encourage people to reveal their personal details.
It is the most common form of AI-enabled financial crime, almost as old as the World Wide Web and only becoming more advanced.
Rolfe says the old style of phishing was basically ‘a sweatshop, for want of a better phrase’, of criminals using email address lists and stock email phrases and ‘just cutting and pasting and sending’.
If someone took the bait, they would then be targeted by a person higher up the criminal food chain.
But, with AI, criminals can now run their phishing scams off one powerful machine.
They could also additionally write copy free of the spelling and punctuation errors that have traditionally made phishing harder to pull off.
Voice cloning: Researchers at McAfee found that it took just three seconds of a person speaking to create a copy with an 85 per cent resemblance to their original voice
Voice cloning
Imagine you are a British chief executive. You get a call from someone you think is the boss of your firm’s German parent company asking you to transfer €220,000 to a Hungarian supplier within one hour.
Given the request’s urgency, you deposit the sum and receive a call later that day saying the UK business has been reimbursed. But the money never arrives.
That happened to one UK energy boss in 2019, according to the Wall Street Journal, which said the criminals may have employed voice-generating software to accomplish their bold heist.
Although not as prevalent as phishing scams, voice cloning certainly grabs many headlines. And, like phishing, it is becoming more sophisticated.
Researchers at McAfee found that it took just three seconds of a person speaking to create a copy with an 85 per cent resemblance to their original voice, or 95 per cent with a few audio files.
As so many people’s voices are online, whether on social media, podcasts, or films, scammers can replicate virtually anyone – especially politicians, celebrities and high-profile executives.
Deepfake videos
When mixing a near-perfect voice clone with ‘deep learning’ to make a real person appear to utter something they actually never said, you have a state-of-the-art tool for tricksters to exploit.
Deepfake videos are cheap and easy to produce and are growing more popular with fraudsters; a survey last year by Regula, an IT services firm, found 29 per cent of businesses had fallen victim to them.
One multinational in Hong Kong lost $25.6million after a digitally recreated version of its chief financial officer asked an employee on a videoconference call to transfer some money.
The staff member was reportedly asked to introduce themselves and told to execute the transfer before the call was abruptly ended.
They then kept communicating with the scammers via messaging platforms, emails, and phone calls.
Only after the cash was transferred did the employee and unnamed company realise they had been swindled.
If a large business could lose such a vast sum, imagine how vulnerable individuals are to losing their life savings because of a doctored video.
Forged documents
Unlike cloning and phishing, the history of faking documents goes back thousands of years. The Romans even had laws banning the forging of records that transferred land to heirs.
With AI, algorithms can replicate minor details of documents, including pictures, watermarks, holograms, microprinting, and signatures, simplifying the step-by-step process for criminals to create false but credible forms of identification.
Rolfe thinks ‘any teenagers doing a computer science degree’ can probably forge a gas bill with fewer identity checks than are needed to open a bank account.
Their ability to perpetrate document fraud has been made easier by the extent to which their digital-native peers share information online.
A poll by identity verification platform IDnow in February discovered that nearly half of 18-24-year-olds had sent identity documents through less secure channels, such as email, social media, or messaging apps.
More concerning, 45 per cent knew that sending scans of their documents via these channels could be used by criminals to commit fraud, but a third did so anyway.
How can you protect yourself?
Fraud will likely remain endemic, regardless of how much the technology to combat it catches up with the criminals.
Even the most technically-literate people are susceptible to AI-employed scams nowadays due to the sheer volume of such crimes taking place.
Rolfe admits that he was recently caught out by a fake DocuSign email, although he realised quickly enough to change the password on his computer before anything terrible happened.
His advice to avoid becoming a victim of AI-related fraud is not to rush and ensure you perform the necessary checks.
So, if you receive a random call, text, or email asking you to transfer a large sum of money within a short space of time or to hand over your personal information, be immediately suspicious.
Check the number or email address that sent the message to confirm its legitimacy. Look at the branding to see if it resembles a real organisation.
If you receive a peculiar message from a relative or friend, contact them by another means or ask them to call back.
Should it be a family member on a phone call, many security specialists suggest you have an agreed secret ‘safe word’ that can be repeated in emergencies or ask very personal questions to which only they could know the answer.
And as IDNow’s survey attested, any financial details should not be given via text, email, or phone until the recipient’s legitimacy is verified and security measures like complicated passwords and two-factor authentication are implemented.
As Rolfe says: ‘All you can do is try and be alert to these things, and if you have a question or you’re not quite sure, then I’d much rather you spend an extra five minutes asking whether it was the right thing rather than just getting on with it and getting caught.’