Here’s what to look out for in your inbox
The cyber threat landscape is getting worse. Driven by new and terrifying AI-fueled threats, it’s getting harder and harder to tell the truth from the fake, the sure from the sorry. With “criminals leveraging generative artificial intelligence (AI) to commit fraud on a larger scale, which increases the credibility of their schemes,” as the FBI warned last month, it would be good to know some of the telltale signs for help us eradicate. threats now sneak into our inboxes.
The vast majority of cyber attacks start with a phishing email, so better security of our Gmail, Outlook and Apple Mail inboxes, as well as any others, would make a big difference. Email remains a legacy technology that needs a refresh – it’s clear that platforms can do a better job keeping us safe and better use AI to filter out threats.
Sometimes, though, it’s the little things that help. So it is with the FBI’s latest warning, which gives you a strong indication that an email should be deleted before it can be read or even opened. “Pressure to ‘act quickly’,” the bureau says, could easily be “a sign of a scam.” I will go further. Any email that emphasizes urgency or the need to “act fast”—unless it’s from someone you undeniably know and absolutely trust—should be avoided.
Microsoft echoes this, warning that you should “be suspicious of emails that claim you need to immediately click, call or open an attachment. Often, they will claim that you need to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks and scams. They do it so you don’t have to think too much about it.”
And Google says exactly the same thing: “Slow it down. Scams are often designed to create a sense of urgency and often use terms like ‘urgent, immediate, disable, unauthorized, etc.’ Take time to ask questions and think it through.”
This latest FBI warning comes as part of a package of suggested measures to protect against scammers who use major disasters as a lure to trick victims — like the California wildfires. And this is another warning sign. Criminals need a hook and there’s better than a disaster that may have directly affected you or where you may want to provide charitable assistance. Or it can be very different, for example, recovering a TikTok account during shutdown.
ESET’s Jake Moore warns that “forcing people to act fast and think later can be an effective way to get people to respond immediately without leaving any time to err on the side of caution. So however confident you may feel in responding, it’s always worth remembering to take your time and do due diligence where necessary.”
And CISA – the US cyber protection agency – suggests being very wary of any email that uses “urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately… If a message looks suspicious, it’s probably phishing… However, if you think it might be real, don’t click on any links or call any numbers in the message. Look for another way to contact the company or person directly.”
That said, more sophisticated phishing emails look a lot less suspicious than ever before. AI helps tone down language and remove spelling and grammar mistakes, it also creates realistic images and can mimic any brand.
The FBI’s phishing tips remain as valid as ever — despite AI making it harder to identify a threat with a cursory scan of copy and images:
- “Remember that companies generally do not contact you to ask for your username or password.
- Do not click on anything in an unsolicited email or text message. Look up the company’s phone number yourself (don’t use the one a potential scammer is offering) and call the company to ask if the request is legitimate.
- Carefully review the email address, URL, and spelling used in any correspondence. Fraudsters use small differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never turn it off.
- Be careful what information you share online or on social media. By openly sharing things like your pets’ names, schools you attended, family members, and your birthday, you can give a fraudster all the information they need to find your password or answer your security questions.”
“Impressive manipulation tactics are constantly improving,” ESET’s Moore told me, “and can often leave people surprised at how easily they are influenced. Deceptive communication is based on heavy emotional impactful messages and manipulative tactics that can work very efficiently for unknown victims.
You have been warned – don’t “act quickly” after all.
