A Brief History of Everything Wireless

How Invisible Waves Have Changed the World


Earlier entries Show latest

Author's Blog

Will Google Duplex open new avenues for scamming?

2018-05-15 [Petri]

The scammers on the Internet rely on the law of big numbers: they send spam email in tens of thousands, hoping that at least a handful of the recipients will eventually fall for their scam. This is easy to automate and thus very cheap, and is one of the big plagues on today's Internet.

Fake phone calls are much more rare, but as Google showed us last week, the advances in artificial intelligence may open new avenues for scammers; how about mass-generated, convincing sounding kidnapping calls, requiring an instant payment or someone in your family gets hurt?

Let's take a look at the current and future potential in this shady side effect of the Internet:

Avoiding dubious email scams is rather straightforward: first of all, pretty much all email readers these days automatically block external references in messages, so that they won't open unless you explicitly click on them. Therefore nothing will be executed on your computer unless you act on it first, and you should NEVER do that until you have verified the validity of the message.

The three rules of thumb to do always when an unexpected email pops up are as follows:

1) Check the sender's address: valid companies send emails from valid addresses, not from “joesixpack542304@gmail.com”. True Nigerian princes have enough money to purchase a decent email address, and company representatives should have “firstname.surname@company.com” style emails for any official use, not something littered with numbers and nicknames. In addition to this, always cross-reference any return email address information against the sender info in the header: if they don't match, you most likely are reading a scam email.

Also, beware of valid-looking company names with small typos or inconsistencies: read the sender name two-three times to spot tiny, similar-sounding fake addresses, like “bankofaamerica.com” instead of “bankofamerica.com”.

2) Don't EVER click on links in the email without first checking their validity: hover the cursor on top of them, and your browser or email reader will indicate the actual underlying address in the link somewhere, for example at the bottom of the screen. So even if the mail appears to come from your bank or Apple or Spotify (the sender info in the header can be spoofed), but the link to “additional info” is a weird web address somewhere in Azerbaijan, you know that the message is fake. Just delete it.

3) Last, check if the mail is correctly addressed to you: banks and other institutions don't send personal mail to you using the “BCC” field that removes the recipient information, they will address you individually. You should also add the indication of “To:” column in received mails list of your email reader for instant reference.

For users that only use one email address, this step is less relevant, as you have no other addresses in use, but another valuable approach for you is to have a “fake” email address or addresses that you use for all less important contact cases like web competitions and sporadic information queries that might cause your email getting harvested at some point. Leave your real email only for official business.

Setting up secondary email boxes is a bit of a pain, so with about the same amount of effort plus some extra geekery and a cost of few dollars per month you could simply reserve a complete domain for yourself, giving you a much more potent tool against spam: with the whole domain at your disposal, you can create a new, fake email address for any new purpose out of thin air and without any extra effort by defining a “catchall” rule in your mail that still directs all such mail to your inbox.

An example of how to do this is as follows: your real email address on your private “yourdomain.com” is “joe.doe@yourdomain.com”, but as you own that domain, you have been able to set up a “catchall” rule, that brings mail sent to “whateveraddress@yourdomain.com” to your inbox.

Therefore, when you come across a web competition at site “winmillionbucks.com” and you are tempted enough to participate in it, don't type in “joe.doe@yourdomain.com”, type in “winmillionbucks@yourdomain.com”. Any mail sent to this address will still come to your inbox, but if you have set up the “To:” field to be displayed, you immediately know what is the origin of this email. And if you start getting tons of spam to it, you can make a simple rule that automatically junks anything sent to it: you will never be bothered about it again.

If you always create a new name to every new customer relationship you need, you can also see when that company's email list gets hacked or sold to spammers: for example, I used this “companyname@yourdomain.com” approach with one large and legitimate company a couple of years ago, and have since started getting pure spam into this address.

As I never used that address anywhere else than on their registration page, it is absolutely clear that somebody hacked their customer database, yet the company has never admitted this to have happened.

In terms of domain management, I have had a long, happy relationship with NameCheap.com for over ten years. Don't let the cheesy name fool you, they know their business much better than the first domain provider I used many years ago. They got very intuitive management interface, and I never had any issues with them while managing several tens of domains.

By the way, having the mandatory management contact info for your domain is a magnet for spammers. Namecheap offers additional WhoIsGuard-service that rotates your contact address so that any harvested addresses become invalid in very short time, thus saving you from spam.

Regarding email content, a simple rule is that you can be pretty sure that mails with typos don't come from legitimate companies: they have their outgoing messages proofread by competent persons many times over before they hit your inbox.

And don't ever load the missing images that your email reader have blocked just to make it look "pretty": some spam is simply trying to determine if the email address is valid, and the link to a missing image item in the message may have been individually coded so that it will register the email address as active, hence generating more spam to it in the future.

The best hoax attempts use valid real-company links for images, logos and generic info, and only utilize fake address to the main contact link that they provide. As mentioned, you see the actual underlying links by hovering your mouse over them.

And finally, read the content and stop and think if it makes sense: banks don't ask for your personal details or PIN codes, they have those already, backed up gazillion times so that they won't just accidentally “lose them”, and no self-respecting company would rely on email only for changing any personal details, they have much more complex processes for that.

But having a phone conversation is a very different animal: you miss all the supporting context verification information, and as the discussion is a real-time process, you have very little to work on apart from the content itself.

The best you can do is to ask for a name and number to call back, then cross-reference that number with the actual numbers listed for the company or institution in question, and make the call. Any valid company or institution will provide you this information, and any hesitation of dubious explanations about this is a red flag. Just hang up.

In general, phone scams are much less common as they take time and effort from a real person: usually some preliminary background work is needed, and this prior work + real person doing the call means money needs to be spent, so these scams need to have high enough expected success rate to make them worth the additional effort.

Until now.

Enter Google Duplex: with the new, very convincingly talking AI, you can automate this process, and as the time is wasted by a computer, you can easily cold call thousands of persons with no or very little background checking. With big enough pool of targets, there will always be some that match the attempted goals of the call, and therefore may fall for it.

The demos at Google's I/O conference were eerily lifelike, instantly sparking ethics suggestions that it should be mandatory for robocalls to announce their artificial origin: after all, you are interacting with a real person at the other end. So no wonder that Google promptly promised to add this feature to the system.

But if this kind of technology becomes widely available, the bad guys by default have already tossed all ethics aside, so this potential for real-time spoken word misdirection will inevitably be our future: a lot of our verbal interaction will no longer be person-to-person, but AI-to-person, which opens new avenues for entrepreneurial scammers in ways that we can't predict.

Currently, recognizing a recorded robocall is straightforward, but if the calls you get are littered with AI-generated, interactive and context-aware spam, you can only rely on the call back approach: get relevant contact details, cross-reference them against information on the web, and then call back. Beware of anything that requires you to act right now and right there: the IRS can wait for your delayed payment from two years back for a couple of days more, and your bank will have a standard contact method that you can use.

This doesn't always work, unfortunately: one very scary possibility is AI-generated fake kidnapping calls with attached death threats in countries where this kind of behavior is prevalent. For obvious reasons, you can't call back to verify: all you can do is keep track on who is where and rely on other means of figuring out if they are safe or not.

With good AI it is even possible to fake a distressed sample of speech of the claimed target, so agree in advance on an innocent-sounding exchange of words with your family members to indicate that you really are dealing with a real case.

And I'm sure that the imagination of the scammers will come up with use cases for AI phone calls that we can't even imagine yet, so as we can't stop progress, we should all start mentally preparing for attempts that try to get us “Google Dupe-x'd” by using one of the oldest inventions for communications - the telephone.

Permalink: https://bhoew.com/blog/en/19

Show latest Earlier entries

"Can I call you back" is the valid response to surprise calls like this


You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.



Earlier entries:










You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.


PRIVACY STATEMENT AND CONTACT INFORMATION: we don't collect anything about your visits to this website: we think that your online history belongs to you alone. However, our blog comment section is managed by Disqus. Please read their privacy statement via this link. To contact the author directly, please costruct an email address from his first name and the name of this website. All product names, logos and brands are property of their respective owners and are used on this website for identification purposes only. © 2018 Petri Launiainen.