Experts warn businesses must understand risks of ‘industrial scale’ AI scams

It’s no secret that AI technologies are enabling cyber criminals to carry out more sophisticated, slicker scams than ever before.

Fraudsters have wasted no time in getting to grips with AI tech for techniques such as using deepfake tech to create an almost exact clone of a voice, posing as a loved one in a WhatsApp voice note. It’s estimated one in 12 Britons have fallen victim to these scams, with 77% of victims losing money as a result. What’s more, searches for ‘Smishing scams’ have increased by 24% over the past year, a coin termed to categorise the WhatsApp or text message version of email phishing.

But what threats do these technologies bring to businesses? In the first quarter of 2023, a report by Fortra found that a quarter of all emails in corporate inboxes were malicious or fraudulent and 99% of these were impersonation attacks.

Earlier this month, world leaders gathered for the first AI Safety Summit to discuss the risks that AI brings and how these can be mitigated through ‘coordinated action.’ Elon Musk’s seemingly bold claim that AI will ‘take our jobs’ in years to come may have raised concern amongst workers, however cyber criminals are viewing the technology as a gaping opportunity.

Now, cybersecurity experts are warning that the use of AI will ‘industrialise’ financial fraud in 2024, and are urging businesses to familiarise themselves with the most common tactics scammers are adopting as a result.

Tom Holloway, head of cybersecurity at Redcentric comments: “In the past 12 months, we have seen countless examples of businesses being stung by these extremely skillful cyber criminals. Next year, this is something we only expect to become more common as scammers trial new methods and AI tools develop further.

“It is vital that business leaders, finance teams and individual employees understand the risks they are being exposed to. Ultimately, cyber criminals have the ability to bring an entire business down at the click of a button.”  

When it comes to the business areas that are the most vulnerable, it’s finance teams that are the main targets for cyber criminals, experts say. 

Simon Litt, finance expert at The CFO Club adds: “More than ever before, it’s so important for finance teams to both implement a vigilant cybersecurity strategy and treat everything as a potential threat.

“We’re used to seeing criminals use AI to create personalised phishing emails appearing to come from senior finance directors and chief finance operators, asking finance teams to transfer large funds. But that isn’t the extent of it any longer. We’re also seeing cyber criminals scrape information from finance teams’ LinkedIn profiles, and use this to create personalised targets. I’d anticipate this is only going to become an increasingly common occurrence in 2024.”

To help businesses protect themselves from cyber criminals in 2024 and mitigate the risk of a fraudulent attack, Tom and Simon have shared their top 4 tips for business owners to take into next year:

Consider how much information finance teams expose on social media

“As a basic rule, it’s vital that team members don’t expose any financial information on social media.” Tom comments.

“For example, exposing the fact that you are responsible for budgets worth over £10 million on LinkedIn is going to attract cyber criminals like a moth to a flame. Once they have this information, they know exactly what they’re working with, and can begin to create their personalised target.

“Whilst it can be tempting to shout out about significant financial responsibilities, or indeed major new account wins, the risks that come with this should not be underestimated.”

Watch out for deepfake videos posing as other team members

“If you have team members who market themselves well by presenting webinars or posting advice-led videos on LinkedIn and on your website, cyber criminals can easily extract the voice that is featured and create a false voice note or even video posing as this exact team member, using AI.

“For team members who aren’t clued up on this, it can be extremely easy to fall into this trap. Be extra mindful to consider whether this is ‘normal’ behaviour for your team member to send a voice note or video to you, and if it isn’t, then it’s likely to be a scam.”  

Be extra cautious during ‘heightened risk periods’

Simon comments: “If you have just announced a new CFO appointment, or perhaps a large business acquisition (or even loss), this makes you a prime target for cyber criminals.

“These events provide cyber criminals with the opportunity to create a personalised narrative for their attack, which would appear plausible to most employees. It’s vital that businesses, and particularly finance teams, take extra caution during this time by carefully reviewing every external email they receive.”

Tom adds: “Cyber criminals routinely imitate banking or HMRC emails that would appear to be relevant in any of these scenarios too. If you weren’t expecting any of these emails, then it’s highly likely they are a scam.”

Ensure all employees use a password manager

“A recent study we conducted found a huge 77% of people in the UK don’t use a password manager, and an alarming 23% save their passwords in the browser.

“In the workplace, it’s massively important that all passwords are stored safely, either in a secure password manager or document that requires two-factor authentication in order to be accessed.

“Storing your passwords in any insecure place that doesn’t itself require a password to access, could result in them being very easily stolen. Once a cyber criminal has access to any password document, it’s pretty much game over.”

Tom adds: “If you’re ever unsure whether an email, social media message or text message is a scam or not, report it immediately to the NCSC (National Cyber Security Centre) by forwarding the email to report@phishing.gov.uk, and forward smishing SMS messages to 7726, NCSC will reply asking you to copy and paste the number that sent the original message. Doing this enables the appropriate agencies to pursue the criminals and pull down their operations, helping to protect us all from the threat.”