This ghost attack is back in the news – beware.
Republished on January 16 with new reports on the hacking of AI calls and the FBI’s own challenges from Chinese hackers infiltrating US networks.
It starts with a simple phone call, a text, a pop-up – but ends with a life-changing loss. It is a dangerous enough threat that Google has updated Android to protect its users. While there are many warnings about apps you shouldn’t install on your phone or laptop, this one is much simpler. You should never install these apps.
The FBI has dubbed this threat the “Hacker Phantom” and made the news again this week, with the bureau warning that it’s “growing rapidly,” that “scammers don’t discriminate against anyone — they want money from anyone.”
The concept is simple, the FBI explains: “Fraudsters impersonate bank representatives to convince victims that hackers have penetrated their financial account. Victims are urged to move their money quickly to protect their assets. In reality, there was never a hacker, and the money that was transferred is now completely controlled by the fraudster.”
There are variations on this theme, such as attacks by scammers pretending to be tech support representatives. But the most effective attack is the banking representative. You will end up talking to a convincing (albeit fake) bank representative who helps you transfer your money from the “hacked” account to a new secure account to stop your money being stolen. You are told that this is urgent and it is happening now, giving you no time to think. In reality, you are moving your money into an account controlled by the fraudster.
While these attacks may simply ask you to approve a transaction within your banking app, many of the calls “direct the victim to download a software program that allows the fraudster remote access to the victim’s computer.”
You are told this is to stop the imaginary hacker. “The scammer asks the victim to open their financial accounts to determine if there have been any unauthorized charges – a tactic to allow the scammer to determine which financial account is most profitable to target. The fraudster informs the victim that they will receive a call from that financial institution’s fraud department with further instructions.”
The rules for staying safe are stupidly simple.
- Never install an app when a supposed tech support or banking individual who contacted you sends you a link or directs you to a website.
- Your bank or credit card company will never call and ask for your security credentials. If someone does, you always have the right to call them back through the usual channels to make sure they work for the establishment they claim.
- never EVER move money anywhere on the word of someone who contacted you on the phone. This will never be a real solution. If they work for the bank as they say, they can stop the transaction – think twice.
Google has added call fraud protection to its latest Android system to protect you in multiple ways. It can put artificial intelligence into the device to listen in on calls and alert when it suspects fraud – such as a supposed bank representative asking you to make a transaction. And how Android Authority explains, it will also “prevent users from disabling Google Play Protect during voice calls to prevent bad actors from tricking users into installing malicious apps on their devices.”
Regardless, you should never, EVER install an application on your phone or laptop if you have been asked to do so by a technical support or bank representative during a phone call. The only exception is when you have contacted directly using normal channels. For example, you can use an app to send photos or run a live video link or diagnose a system bug. But you don’t do this when there is an incoming call or text.
The FBI’s full advice for keeping Phantom Hackers at bay is below; if you believe you have been the victim of such a crime, you may report it to the FBI’s Internet Crime Complaint Center (IC3), which can be found at www.ic3.gov.
- Do not download software at the request of an unknown person who contacted you.
- Do not click on unsolicited pop-ups, links sent via text messages, email links or attachments.
- Do not contact the phone number provided in a pop-up, text or email.
- Do not allow an unknown person who contacted you to have control of your computer.
The bureau is not immune to attacks on its own subpoenas, although these tend to be more complex and have broader implications. A few weeks ago, the FBI warned smartphone users to stop texting and use end-to-end encrypted messages. This followed the widespread hacking of US networks by China’s Salt Typhoon hacking group. But for Bloomberg on Thursday, the bureau is now said to have warned agents that some of its call logs stolen by AT&T during the raids may be able to identify sources and possibly informants.
It also appears that if you have fallen victim to an actual call scam, you are also in good company. It really can happen to anyone. like CNN reported Thursday, “even world leaders get scam calls; just ask the prime minister of Thailand.”
The party leader “revealed that she received a call from an AI system, asking for money in the voice of another famous head of government. Paetongtarn Shinawatra did not reveal who the computer was impersonating, but said she received a message with a voice identical to a known leader. “The voice was very clear and I recognized it immediately. First they sent a voice clip, saying something like, ‘How are you? I want to work together’ and so on,’ Paetongtarn said, adding that whoever sent the message ‘probably used AI to pick up the voice’ of the unnamed world leader.
This is on a different level from bank teller fraud and relies on using AI to mimic voices well enough to lure a victim. Coming full circle, the FBI also warned users to beware of this scary new threat in a special advisory last month.
“Generative AI,” he warned, “takes what it’s learned from examples given by a user and synthesizes something entirely new based on that information…Criminals can use AI-generated audio to impersonate well-known, public figures or personal relationship to extract payments.” Something else to take care of.