Australian technology news, reviews, and guides to help you
Australian technology news, reviews, and guides to help you
Surfing the web on phone and computer

How chatbot scams work

You get a message pop up on your screen from a major brand, and it says you’ve won a prize. It’s talking to you like a human. Could it be real?

Scammers will do anything to get your money, and when we say anything, we mean it. Much of what a cyber criminal does is trying to do as little as possible in the biggest way, which in the world of technology means automating something.

“Automating” is exactly what it sounds like: setting something up so it can happen repeatedly — automatically — without anyone needing to intervene. For a scammer, it’s a holy grail of activity, because if you set up the perfect routine for someone to follow, it’ll snag someone in its web of lies. Scammers love themselves some automation, too, because even if it doesn’t work on 29 out of 30 people, there’s always the chance it’ll work on that remaining one person, and then it’s a pay day of details, which can be sold or used later on.

Unfortunately for us, automation is very much how scammers can rig up a chat scam, also known as a chatbot scam, whereby a company randomly starts talking to you through a chat system to convince you of its legitimacy. It’s the sort of thing you’d expect a big company to invest in, which helps to make it even more legitimate, and yet, of course, is anything but.

Recent reports of chatbot scams in Australia include one where scammers purport to be from Woolworths, and have the Woolies chat agent promise a prize, only to end up having you hand over details to a scammer.

Obviously, scammers such as these can be somewhat convincing, but part of how you can learn to avoid these is learning how they actually work. So how do chatbot scammers work, and what can you do to pick up on these fakes?

How do chatbot scams work?

A slightly more advanced take on phishing scams where someone sets up a fake website, chatbot scams are kind of a two part operation: the scammer creates a fake version of the brand you trust, and then places a chatbot on that page to make it seem more legit.

Online chat systems are fairly common for big brands, as it provides a way for people to talk to the staff of that brand if there’s a problem, a comment, or a suggestion. In essence, online chat windows are a direct line of communication for regular people to talk to people working for that company.

But they’re not a thoroughly complex bit of code these days, and provided you have the right knowledge, you can not only put a chat system in place, you can put an automated chat bot in place. A chatbot will field requests and respond to specific sets of keywords, so that it can talk in the place of a real human, before connecting the user to a real human later on, if they’re even needed.

To make a chatbot scam, cybercriminals essentially need to bring together a fake site meant to look like the real thing and ensnare victims — a phishing site — and that chatbot system, making the two work together. Building a phishing site isn’t hard, and rolling out a chat bot to sit on one isn’t remarkably difficult either, with both of these merely taking the time it takes, however long that is.

Once it’s in place, when the window pops up, victims will see a site that looks close to the real thing, but with a chat window that appears seemingly authentic, like the real page might have. That adds to how scammers attempt to pass off these fakes as something legitimate in the hope that users don’t look deeper, and take it at face value.

Of course, taking a chatbot scam at face value is likely to get you in trouble, because you’ll have trusted something that didn’t deserve your trust in the first place. So how do you work out if you’re being led to a chatbot scam trap?

How to work out if you’re being scammed by a chatbot

Computer user

Even with the slightly layer of complexity that is a chatbot, there are often typical telltale signs that you’re at a fake website, and often that’s found in the top part of your browser, the website address also known as the URL. That’s the https:// you’re used to seeing at the top of the browser, the part where the security lock goes, and even the padlock can be a bit of a red herring these days.

It’s here that a scam can be picked up quite easily, because scammers can’t fake the real site. Instead, they’ll typically do one of two things:

  • They’ll either attempt a fake that is similar, such was replacing characters or making it sound the same, such as or, or
  • They’ll keep something outlandish betting that you won’t check the address in the first place.

Looking at the URL is the first indication of whether you’re at a scam, because while phishing sites can have their flaws, they can also look authentic. Typically, there’s something about a site that isn’t quite legit, such as a low resolution logo or text that doesn’t seem quite as clear. Spelling errors are common, as is poorly grammar and language problems, as scammers don’t typically speak the language of the place they’re running the scam in.

But even throughout this, a phishing site can be convincing. It can fool even the most resilient and aware individuals, though it can’t trick the website address, the URL. It’s here that you can stop a scammer in their tracks.

A dodgy URL on a JB HiFi SMS scam
A dodgy URL on a JB HiFi SMS scam

You can also search for the website specifically that you’re at, specifically if it has outlandish claims like giving you a prize or being threatened with action. Searching for the real website will generally put these claims to rest, because Google and other search engines will bring up both the real site, as well as websites showing these claims as scams instead. The websites belonging to scammers don’t exactly appeal to Google, and are unlikely to appear in a search listing over the real thing.

Ultimately, it helps to be a little sceptical online, and judge what you see with a grain of salt, especially if it has appeared out of the blue.

Scam sites typically bury themselves as pop-ups on other sites throughout the web, opening up from random websites — perhaps a shop listing, a random news post, a social media link, or even just something emailed to you — and hope you don’t check out the obvious signs suggesting it’s a scam. And many people don’t, which is why scams are a big deal, with the ACCC noting that it rakes in a lot of money.

Not getting caught out is one of the best ways to reduce that considerably, and to keep you safer online. That just means you need to pay a little bit of attention to what your web browser is telling you, not just what it’s showing you on the internet, as well.

Read next