There’s been a few articles (NPR, Wired) recently regarding the use of AI and how it will provide new tools for scammers to better trick people by posing as someone they know. A lot of these articles have very helpful techniques, but I want to cover how people could realistically adopt the techniques.

Because as we know, strong defenses are only useful if they actually get used.

First let’s start with making a scammers job harder to begin with.

Lockdown accounts #

This isn’t just make sure you have secure passwords and MFA - which you should have. Locking down your accounts means being aware of what you post, how someone could determine information about you, like where you are, problems you might have, interests they could tempt you with, and so on.

With AI, if there are videos or pictures of you - which I am sure there are of most people - then you could be cloned fairly easily. Honestly I don’t expect people to not post these types of things, which is why diligence is key.

Making accounts private, culling your followers, using multiple accounts to professional and personal interests. These can help minimize the potential knowledge scope on you if you are targeted.

Additionally, making sure you can recover your accounts and that your recovery email is well protected.

In short:

• Make sure your posts aren’t more revealing than you want them to be
• Know who follows you
• Take your account private by default
• Consider multiple accounts to split between public and private

This is something everyone should do, and you should do it on a cadence that makes sense. Because settings change, your tolerance for posting personal information changes and all that should be considered over time.

Set up strong authentication #

Get a password manager, randomize your passwords, and if possible randomize your emails too! On top of all that, set up MFA where possible. I suggest software plus hardware (like a YubiKey).

Also, if you are helping a parent or loved one, then a family account with the password sharing may help when needed. We have all been there when their parent can’t remember the password to an account they need your help with, and you have to go through the recovery dance.

Avoid clicking suspicious links #

This should also be an obvious one, but just don’t click links you don’t trust. These are links randomly texted to you, or just don’t look right (like fedex-com[.]net).

Now obviously clicking on links in social media is going to happen. Just make sure before you do click. And if you’re a bit suspicious of it. Google the website and the title of the article instead.

With that being said, suppose you’re targeted and a bad actor is realistically posing as someone you know. Maybe it’s a phone call, or a voice message, or even as sophisticated as a video call - all leveraging AI tooling.

Secret family codes #

I see this being suggested a lot. And it can be helpful, but really it is a historical knowledge challenge. So, realistically the best way to leverage this in your daily life is to ask questions only the two of you might know. Like a conversation you had previously or the last place you ate and what you ordered.

Obviously people are human, and I’m not the only one that forgets what I had eaten a day or two later. Also, as mentioned earlier, depending how open your life is on the internet someone might know what you ate last Sunday because you posted it on your stories.

Better yet would be to use intimate knowledge. These are things like inside jokes the two of you might have, personal discussions or other things that have a very low chance of being online.

Which is why creating a code phrase can still be helpful, as it is a better type of shared knowledge - intimate knowledge.

Secondary channel of communication #

Another way to check if someone is who they say they are is to either ask them to send you the same message on a known secure form of communication you two share. This could be instagram DMs, signal messaging, or something where they need to authenticate to access. Or you could reach out yourself and not tell them you’re planning to do it.

Now this isn’t perfect either, especially if the bad actor has already compromised those accounts and has access.

Third person check #

Now if you really aren’t sure how compromised that person might be. You can also reach out to someone else that is close with them to check. Depending on the time of day it could be a colleague, or a partner, someone you expect them to be with at that moment, have seen recently or will see soon. They can then work one physically finding the person to confirm if it is them. Or might be able to confirm the request.

Lastly is education, not only for yourself but others around you. Knowing not only who is aware, but also the extent they are capable of. The sad truth is, the most vulnerable are often targeted the most. Knowing who you might have around that needs the extra help can make all the difference in the world.

Again, the best tools are the ones that are used, and the more in use the more layers of defense you have available.

How scams are changing #

I want to reiterate that who this is most important for isn’t necessarily going to be the reader, nor most of their immediate friends and family. It will be the grandparents and older generations. Yes I do hope you learn something or use one of these techniques, but I also want you to be proactive.

There’s an event I was told of, which didn’t involve AI but is of the same vein of directed attacks. The scammer was watching a home of an elderly woman. Their adult children were visiting and some left for home. About 10 minutes later the woman received a phone call from the scammer, posing as one of the people that had just left, saying that the other was in trouble with the police and needed to pay a fine otherwise they were going to go to jail. Luckily the woman didn’t recognize the voice, and instead called someone else to check.

Now imagine if this same tactic added AI generated voice copies of the person they know? Just being that little more convincing could have lead to a successful scam. It’s these enhancements that people need to be prepared for.

As with everything in security, the bad actors only need to succeed once - so be diligent!