You’ve probably heard that all kinds of cybercrime are on the rise. Scams and phishing are everywhere, new fraud cases pop up every day, and reported losses are in the billions – not counting all the losses that aren’t reported. And with AI tools that can write perfectly and imitate voices and even faces on video really well, sometimes scams can look like the real thing. Being aware of criminal tactics and taking protective measures is key to keeping yourself safe.
See Why Everyone’s a Target with Gabrielle Hempel for a complete transcript of the Easy Prey podcast episode.
Gabrielle Hempel is a Security Operations Specialist at Exabeam, where she does a little bit of everything related to internal cybersecurity. She has a Master’s degree in cybersecurity and global affairs, where she did her thesis on critical infrastructure security. In addition to her expertise in security strategy, vulnerability management, and cybersecurity risk consulting, she is currently a law student at Purdue University.
Gabrielle didn’t start out intending to work in cybersecurity. She didn’t even know it was an option. Her undergraduate degree was in psychology and neuroscience, and she worked in genetic science and pharmaceuticals after graduation. That’s actually how she got into the security end of things. Working with medical device manufacturers on regulation compliance, she discovered a lot of these devices had exploits. She didn’t know anything about the field at the time, including why these devices connected to the internet or why someone would want to exploit it. But she learned, and a few years later ended up working in cybersecurity.
It Can Happen to Anybody
Gabrielle has been caught in an incident of fraud before. And it’s an interesting one because there’s not much that could have been done about it. In college, she still lived with her parents. One year, her parents went to file their taxes on TurboTax, and TurboTax said they couldn’t file because they’d already filed. They had all been victims of tax ID theft. Someone had gotten enough of their information to file taxes in their name.
They all had to sit down with the IRS and do their tax returns manually so the IRS could make sure they weren’t trying to defraud the government and it actually was a case of stolen identity. Then they put a bunch of monitoring precautions on the whole family’s information. To this day, Gabrielle has to enter a special PIN to submit her taxes so it doesn’t happen again.
These kinds of things happen more and more often. Everyone’s been a victim of an incident – the question is just whether or not you know about it. With security, it’s a question of “when,” not “if.” Lots of organizations talk about contingencies if something were to happen, but it will one day. The only question is the scale. That’s how Gabrielle feels about scams, fraud, and phishing. People ask if she’s worried about her information being out there, and she knows it already is. The key is to stay vigilant and be aware of if and how it’s being used so she can take action if necessary.
All of my information is out there. And it’s more just staying vigilant and making sure that I keep an eye on how it’s being used. – Gabrielle Hempel
The Current State of Phishing, Fraud, and Scams
Scams are a topic that interests Gabrielle. And working in cybersecurity, it’s part of her job to pay attention to new cyberattacks. She’s seeing a lot of scams that blend in with the bigger ecosystem of cybercrime. Both scams and bigger crimes use many of the same tactics. Big cyber actors are doing impersonation, domain spoofing, and more, and we’re seeing that in a lot of fraud and scams, too.
Phishing emails are used for everything. Think about it like a pry bar to get into a house. You can use the same tool to get inside no matter what you’re doing, and once you’re in you can do whatever it is you’re trying to do. Phishing opens the doors to all sorts of things, from big cyberattacks to scams.
Gabrielle sometimes goes through her spam folder for a laugh, and there’s always tons of emails that she never sees. Some of them are extremely obvious, but some look quite convincing. There are more high quality phishing and scam emails now – AI makes it easier to write them. Even at work, sometimes it takes several people to tell whether or not an email is legitimate. A few weeks ago, Gabrielle got one from X/Twitter that looked extremely legitimate. She ended up reaching out to X’s legal team, who confirmed that it was fake. But some people she knew thought it was real. And they were all cybersecurity experts. It was very targeted and looked extremely real.
Offense, Defense, and AI
If phishing is getting better, one would expect to see more scam and phishing messages getting through email spam filters. But that’s not what Gabrielle has seen. Email companies are doing a good job staying on top of the changes. If AI continues at its current pace, we could see an uptick in the future. It keeps getting easier to commit crimes, and it’s always harder to react to crimes.
The challenge with filtering is that we never want something legitimate to get rejected by the filter. Gabrielle read something last week talking about AI that said that offensive AI has to be effective, while defensive AI has to be accurate. This makes sense. You don’t want to cause consequences for someone by cutting off their access or routing important and time-sensitive messages to the junk folder. The challenge is that defenders have to get it right 100% of the time, while attackers don’t have to get it right very often. If they get even one person to click, they’ve got access.
The thing that makes Gabrielle most nervous is that AI will make it much easier to customize scams and phishing messages. Different scams work for different people. A twenty-year-old doesn’t care about Medicare, and a ninety-year-old in a retirement home isn’t likely to be interested in concert tickets. But as scammers get more information about us, they’ll be able to target us better. Gone are the days of the Nigerian prince. Now they can claim that they went to your high school and you have a mutual friend. It will make getting caught in it that much easier.
New Trends in Phishing and Scams
Voice cloning and deepfakes have both become major tools in the scam and phishing playbook. These are difficult because the detection we have isn’t very effective yet. There are articles out there about hiring teams who had someone show up for a video interview who turned out to be a deepfake. It’s one of the trends Gabrielle finds most concerning, because some are extremely convincing. There are times when she’s watched a video multiple times and still not been sure if it’s real.
The same is true for voice cloning. Gabrielle has a friend who is really interested in voice cloning. He wanted to see how long it would take him to make a voice clone of a mutual friend. It took him fifteen minutes to make a pretty good clone. AI clones these days are quite good. They might not fool your spouse, but they will probably convince an acquaintance. Ten years ago, you could ask someone to get on a video call to weed out the fakes. A year ago, you could tell if the video quality was bad or something looked not quite right. Now, people can make passable AI clones without a lot of work.
Another trend is incorporating current events. We started to see it with covid and a lot of scams with vaccines, testing, and similar things. Since that worked, scammers are now doubling down. One that Gabrielle has seen lately is package delivery. We all know what’s going on with tariffs. It’s a perfect ploy for scammers to say your package can’t be delivered until you pay this extra tariff. Scammers are getting very good at using news to make their stories sound plausible.
Anyone Can Be a Target
There is a very common belief that most scams and fraud target older people. Gabrielle used to think the same thing. People talk about scammers out to get our grandparents, and there are tons of books and workshops to help retirees protect their data. But FTC data has shown that this isn’t the case. People ages 20 to 29 are the most commonly targeted and the most frequent victims.
For a while, Gabrielle couldn’t comprehend how this was true. Young people are digital natives. They grew up with the internet and smartphones, so it seemed logical that they would be the ones who would best understand that fraud, scams, and phishing were out there. But that’s not the case. She realized a part of it is because the tech has always worked. When Gabrielle was growing up, the tech was imperfect. She had to be patient with dial-up connections and learned about antivirus from using LimeWire. Tech didn’t always work the way it was supposed to, so you had to understand how it worked and sometimes modify it. These days, tech is more plug-and-play. There hasn’t been this distrust in tech.
Another potential reason is that while older people tend to be more leery of tech, younger people are doing more of their life online. This means that they’re less likely to question doing something important or making a big financial move online. Additionally, when scammers are targeting people online, there’s just more opportunity to run into a scammer if you’re online more. And young people are getting phones younger and younger, before their brains develop enough critical thinking to realize that something is a bad decision.
When you’re online eighteen hours a day as opposed to two hours a day, there’s just more opportunity to be scammed. – Gabrielle Hempel
Protecting Yourself from Scams and Phishing
Cybersecurity has a concept called zero trust, where you assume there could be a risk to a network anywhere at any time. We live in an era where we as individuals need to have zero trust communication. Look at everything as a potential scam. Gabrielle doesn’t like living like that, but it’s the way the world is. If you didn’t initiate the conversation, assume it’s suspicious.
We live in an era where consumers need to adopt zero trust in communication. – Gabrielle Hempel
Nothing is free. If somebody offers you something for free, be extremely skeptical. Be wary and stay aware of current threats. AI impersonation is hard to spot. Some people develop a code word with their family or ask something only that person would know to verify. You can never be too careful. Scammers even try to exploit decency. They’ll send something that seems important, and you’ll want to let them know they have the wrong person. But it’s better to not respond. If you’re not expecting it, it’s probably not legitimate.
Do your due diligence and always research. Even if you feel like it’s genuine, try to go around – find the contact information for the person or company separately and reach out that way. Basic cybersecurity precautions will also serve you well. Don’t click links in emails. Be vigilant about phishing. Know that AI is out there. There are some detection tools that you could try using if you want. Hopefully AI detection will eventually be good enough to stop things before they happen. In the meantime, stay cautious.
You can find Gabrielle Hempel on LinkedIn or on X @GabSmashh. Find Exabeam at exabeam.com.
