I’ve blogged about Artificial Intelligence (AI) before (click on General Security Issues and you’ll find it), in that blog I was concentrating on how AI could be used to generate code to be inserted into a Ransomware attack, and perhaps heralding the re-emergence of the once fabled ‘script kiddy’. Whilst there is no doubt that AI has a great potential for good with applications in just about every sphere of IT, it can allow some very nasty people, who have very limited technical ability, to introduce new and frightening scams.

The following is taken from CNN.

Jennifer DeStefano’s phone rang one afternoon as she climbed out of her car outside the dance studio where her younger daughter Aubrey had a rehearsal. The caller showed up as unknown, and she briefly contemplated not picking up.

But her older daughter, 15-year-old Brianna, was away training for a ski race and DeStefano feared it could be a medical emergency.

“Hello?” she answered on speaker phone as she locked her car and lugged her purse and laptop bag into the studio.

She was greeted by yelling and sobbing.

“Mom! I messed up!” screamed a girl’s voice.

“What did you do?!? What happened?!?” DeStefano asked.

“The voice sounded just like Brie’s, the inflection, everything,” she told CNN recently. “Then, all of a sudden, I heard a man say, ‘Lay down, put your head back.’ I’m thinking she’s being gurnied off the mountain, which is common in skiing. So I started to panic.”

As the cries for help continued in the background, a deep male voice started firing off commands: “Listen here. I have your daughter. You call the police, you call anybody, I’m gonna pop her something so full of drugs. I’m gonna have my way with her then drop her off in Mexico, and you’re never going to see her again.”

DeStefano froze. Then she ran into the dance studio, shaking and screaming for help. She felt like she was suddenly drowning.

After a chaotic, rapid-fire series of events that included a $1 million ransom demand, a 911 call and a frantic effort to reach Brianna, the “kidnapping” was exposed as a scam. A puzzled Brianna called to tell her mother that she didn’t know what the fuss was about and that everything was fine.

But DeStefano, who lives in Arizona, will never forget those four minutes of terror and confusion – and the eerie sound of that familiar voice.

“A mother knows her child,” she said later. “You can hear your child cry across the building, and you know it’s yours.”

Of course, this is an extreme case, but it does demonstrate the power of AI and its ability to be used by unscrupulous and nasty people.  If this is happening in the US, it’s only a matter of time before it arrives here.

Another scam, this time reported in The Washington Post and this time, it’s an update on the very well reported CEO Scam, whereby someone impersonates the CEO of a company using spoofed email, but this time it’s using AI.  It went something like this:

Earlier this year, a sales director in India for tech security firm Zscaler got a call that seemed to be from the company’s chief executive. 

As his cell phone displayed founder Jay Chaudhry’s picture, a familiar voice said “Hi, it’s Jay. I need you to do something for me,” before the call dropped. A follow-up text over WhatsApp explained why. “I think I’m having poor network coverage as I am traveling at the moment. Is it okay to text here in the meantime?” 

Then the caller asked for assistance moving money to a bank in Singapore. Trying to help, the salesman went to his manager, who smelled a rat and turned the matter over to internal investigators. They determined that scammers had reconstituted Chaudhry’s voice from clips of his public remarks in an attempt to steal from the company. 

Chaudhry recounted the incident last month on the sidelines of the annual RSA cybersecurity conference in San Francisco, where concerns about the revolution in artificial intelligence dominated the conversation. 

Criminals have been early adopters, with Zscaler citing AI as a factor in the 47 percent surge in phishing attacks it saw last year. Crooks are automating more personalized texts and scripted voice recordings while dodging alarms by going through such unmonitored channels as encrypted WhatsApp messages on personal cell phones. Translations to the target language are getting better, and disinformation is harder to spot, security researchers said. 

Scammers can and do, use every advantage, every advance in technology, to make a few quid.  It’s a nightmare trying to keep up with this and it is essential that you have some method, be it electronic (difficult), or procedural (an easier no cost option), to identify such scams.  Your staff need training but first you have to have someone on tap to keep you up to date with what’s going on.

As AI continues to develop and is taken into use more and more, we will see a clash between its proponents and the security world. That’s nothing new. Everytime there is a new development in applications, operating systems etc, there is always a lag before security catches up. This time however AI can be taken into use with low levels of skill, at a rapid pace. Cyber security needs to be on its metal, as do IT departments, CISOs, CIOs etc. Companies at all levels need to be on their guard.