Scammers are taking a more conversational approach to getting you to hand over money and details. Why is chatbot phishing, and how can you avoid getting caught?
It didn’t take long for 2021 to reveal an approach in scams that we’re expecting to see more of. While the first obvious scam of the year came from an SMS pretending to be a major store, another showed itself up to be from a chat system pretending to be another major shop in Australia, because they’re clearly obvious targets.
Scammers are out to trick people — that’s literally their game, and how they make their money — and one of the best ways to convince people of their legitimacy is to use tools and software in similar ways to the big companies, because it makes their efforts seem only all too real.
For some, it means sending out a barrage of text messages to phone numbers harvested from the web, from a leak of a phone directory or even just randomised guessing. With over 20 million people in Australia, there’s a good chance someone is going to believe the SMS sent by a scammer is real — because anyone can fall for a scam — and so they try that approach, because text messages are one of the marketing approaches real shops use, too.
Online, it’s a slightly different approach.
Scammers will do as much as they can, sending emails, setting up fake websites, and basically using a plan of attack to convince people of their lies through all the fake they can muster, just waiting until someone falls into their rabbit hole of deceit and fraud. And this year, one of those approaches appears to be from the chat bot.
What is a chatbot?
The humble chat bot (or chatbot, both spellings are fine) is largely what its name suggests it might be: a robotic solution that you chat to. Unlike a mechanical robot or something from a science fiction novel, the “bot” here isn’t something physical, but more just something digital and automated. It’s a robot in that it takes instructions and automatically responds, so a chat bot is an online robot that takes instructions in the form of a script, executes them, and engages in a chat with you of sorts.
We’ve all seen chat bots around the web, and typically they pop up offering assistant, much like how Clippy might in old versions of Office, but in a way that’s somehow less patronising. You’ll find chat bots at your online electronics store, a mortgage broker, a bank, insurance company, and so on and so on. Each includes a script that might be able to solve your problems, or might pass you on to a real human.
But while a chat bot can be used for the purpose of good, they can also be used for an advanced kind of phishing, as Kaspersky told Pickr.
“Scams pretending to be chat bots or an employee from technical support of popular brands are yet another way cyber criminals use to deceive people into handing over personal or sensitive information,” said Noushin Shabab, Senior Security Research for Kaspersky in Australia and New Zealand.
How do scammers use a chat bot?
The scripts that make chat bots can be simple, and they can also be complicated, but whether or not a chat bot is good or bad comes down to how they’ve been written and their intended focus.
For scammer, the focus is to draw you into a funnel where you can be left up expecting, and your details can be taken and used against you. Talking to you isn’t difficult for a chat bot, but to be convincing, they need to look like they’re coming from a legitimate website you’d trust, and that’s where scammers employ techniques to ply trust, which may include a text message on your phone that looks like it’s from a real business, but is anything but.
“Scammers often use SMS messages or messaging apps to start a conversation with their targets,” said Shabab.
“At some point, the cyber criminal provides a link to an online form which requests personal and/or financial details from the user,” she said.
“Sometimes, in order to avoid any suspicion, the link might redirect the user to the legitimate website of the brand they are claiming to be. However other times, a malware is downloaded unto the victim’s device to then give cyber criminals further opportunities to do harm.”
It’s not difficult for a scammer to pretend to be an electronics store or a large telecommunications provider or anyone else, for that matter, over SMS or online. In fact, all they really need is to get within spitting distance of the name or the look of the website to grease the wheels and help people recognise the two. Once that connection is made, if someone falls for it, the chat bot can get to work.
Find yourself clicking on a fake link and opening a fraudulent version of the real website, and you might find yourself staring down the screen of a digital recreation intended to do harm, so it’s important to work out whether you’re at the real deal or the shoddy equivalent.
How do you know when you’re looking at a chat bot scam?
Determining whether you’re at the real website or a scamming equivalent comes down to the same set of tips that apply for most security checks, and typically require you to be aware of what you’re clicking on.
If you’ve clicked on something where the website address doesn’t make sense, it’s likely you’re at a fake. Scammers and cybercriminals cannot use the real website addresses for the businesses they’re trying to be, and so they’ll either try something close or something completely wrong, betting the latter on the idea that no one will check. Not checking could result in you getting ensnared, so always check.
That’s not the only advice worth heeding, however.
“Always be wary with messages announcing a big prize,” said Shabab, a researcher at Kaspersky. “If it sounds too good to be true, it definitely is!”
While that’s a lesson for life, if you do find yourself at a fake website, and you’re not sure if a chat bot is legit, there are some ways to tell.
“Be aware that almost no reputable, legitimate brand ever asks you to provide your personal information and bank details, especially when you are not expecting it. For example to pay a delivery fee for a prize they claimed you’ve won,” she said.
What Shabab refers to is the ruse often associated with scams lately: in order to convince you to hand over your credit card details, scammers need to convince you why, and the obvious why is that you’ve “won a prize”.
But there is nothing to win, and really everything to lose, so scammers say this, say they’re working on behalf of the company, and then gradually as you make your way through the chatbot’s script, you’ll eventually get to a point asking for your credit card details, usually not long after your name, address, email, and phone number have been requested. They have to make it look real, after all.
If you’re having too hard a time trying to work it out, close down the site and search up the real website using your favourite search engine. There’s a pretty solid chance you won’t be able to find any trace of the “competition” or “prize”, and will likely find your way to a website warning you of a scam. And be sure to mention that to the company and to the ACCC’s Scamwatch website or social presence, just to help future individuals not get snared, either.
