Dec 12, 2023 - Technology

How holiday scammers could get help from AI

Illustration of a computer mouse with a cord of holiday lights

Illustration: Sarah Grillo/Axios

ChatGPT and similar tools aren't just helping craft letters to Santa — scammers are also using them to perfect their phishing lures with fake discount codes and shopping deals.

Why it matters: The end-of-year holiday shopping season has long been a popular time for cyberattacks and online scams targeting retailers and shoppers.

  • Scammers can use ChatGPT and other AI chatbots to speed up the development of their phishing lures to launch even more attacks, experts warn.

The big picture: Scammers typically target consumers using emails that purport to offer alluring discount codes and deals on popular gifts.

  • But the cybercriminals behind these schemes often aren't native English speakers, leaving their emails littered with typos and other grammatical errors that consumers can easily detect.

Between the lines: With AI chatbots, those grammatical errors can be greatly reduced — making it harder for consumers to detect fraudulent offers.

  • ChatGPT and similar chatbots are able to help those who are already technically savvy enough to launch an online scam put the finishing touches on their messaging, Jim Taylor, chief product officer at RSA, told Axios.
  • "It's gotten a whole lot easier, the barrier to entry is lower — but there is still a barrier of entry," Taylor said.

The intrigue: Scammers can use AI chatbots for more than just spellchecks, Taylor added. Bad actors can use these tools to help tailor an email to a specific demographic, he said.

Details: Retailers are experiencing an influx of phishing lures across the board this holiday season, including some targeting retail employees, said Bryon Hundley, vice president of intelligence operations at the Retail & Hospitality Information Sharing and Analysis Center.

Zoom out: Improved phishing scams hit consumers' and retailers' inboxes at a time when they're being inundated with emails and texts about potential deals — making them more susceptible to opening a seemingly weird email.

  • Spoofing retailers' email addresses is pretty easy: Less than half of U.S. online retailers have implemented a high-level security tool that authenticates that an email was actually sent by the retailer, according to email security company Proofpoint.

What they're saying: "We have this massive proliferation that's happened of consumer brands, all of whom are totally reliant on emails to get out marketing offers," Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, told Axios.

  • "That is the easiest thing in the world to impersonate — it's probably harder to set up a fake email account at this point, which is also not hard," he added.

Meanwhile, local law enforcement doesn't always have the resources to help address online scams that consumers fall for.

  • The FBI, which has more resources to track international scammers, often can't respond to low-level schemes where consumers lose around $5,000, even though that can be catastrophic for a victim, Kalember said.

Yes, but: It's impossible to know for certain if scammers are using AI tools, Hundley said.

  • "We're just speculating right now," he said. "Until we have something that we can run a phishing email through and go, 'This was definitely generated by ChatGPT' or something like that, we can't tell."

Be smart: As scammers improve their tricks, security experts say consumers need to be even more careful when clicking on emailed links.

  • Check to see who sent the email, and take advantage of link previews to see if they're going to the retailer's authentic website.
  • Verify if a discount is real by going directly to the retailer's website rather than relying on a link in an email.
  • You can also call a retailer's customer service department to verify email promotions or report potential scams.
Go deeper