Fraud-as-a-Service + AI = Bad News

 By Catherine Powell

Cyber crime by Nick Youngson CC BY-SA 3.0 Pix4free

As scary as the wild weather has been this summer, there's another storm brewing on the horizon that's even more terrifying: Fraud-as-a-Service.  This kind of crime ran rampant during the pandemic.  International cyber gangs made billions at taxpayer expense by submitting fraudulent unemployment applications using stolen identities.  Just like drug cartels, these gangs would use local affiliates to cash in before paying them a percentage of the take.  Even if caught, the local mule wouldn't be able to implicate those higher up on the food chain, since all their instructions were delivered electronically.  The FBI determined that the hierarchy of the biggest cyber gangs originated in places they had no jurisdiction, like Russia, China, and Nigeria. What's worse is that these illegal enterprises proved so lucrative that the organized criminals running them decided to up the ante by using artificial intelligence to amp up both the scope and range of their shenanigans.  If you don't want to get roped into these cyber frauds, there are a few things you need to know.

What is Fraud-as-a-Service (FaaS) and how can it affect you?  

Instead of selling drugs or guns, wily cyber criminals have turned to selling AI tools to wannabe online fraudsters.  These fraud-for-hire schemes not only openly advertise their help wanted ads on popular social nets, they even offer to school new recruits in the ABC's of online crime.  Professor David Maimon, a criminologist at Georgia State University recently uncovered a video that showed a hacker dressed all in black while wearing a skeleton mask, making the following pitch:

"Yes, I sell Chase bank accounts. Yes, I was one of the first people to sell fake bank accounts four years ago," the man who calls himself "Sanchez" said. "I started with my partner four years ago. Now there are about 30 people in my office."

Image courtesy pxhere

The video goes on to explain how Sanchez and his group have spent the past four years honing their skills and that they are only weeks away resuming their illicit escapades.  He ends the video with these chilling words, "This is just the beginning.  It will be even better.  Trust me."  As flagrant as it seems, this brazen call out to criminals is nothing new.  In the past few years, cyber gangs have recruited worldwide help for everything from ransomware and sextortion schemes to welfare and load fraud.  The heads of these criminal organizations operate with impunity since they're based in locales beyond the reach of US law enforcement.  They further insulate themselves by using untraceable forms of communication and payment.  They also avoid getting their hands dirty by hiring local affiliates to perpetrate the actual crimes while they pull the strings from afar.

Far from being victimless crimes, the actions of these cybercrimes has resulted in hundreds of billions of dollars in losses to businesses and individuals, as well as hundreds of deaths.

• Paycheck Protection Program scammers robbed the US government of more than $100 Billion. In what could be deemed the world's largest fraud of all time, the same government program designed to keep US businesses afloat during the Coronavirus pandemic was fleeced big time by international criminals. The CARES Act which ran from April 2020 to May 2021 was meant to be a lifeline for businesses unable to meet their payrolls during the pandemic.  Business owners were encouraged to apply to banks for loans of up to $10 million.  The sheer volume of applications made it nearly impossible to police who got the loans or how the money was used.  It was only after the fact that the government discovered that more than 15% of these loans turned out to be fraudulent.  Since the US government distributed $800 billion in CARES loans, this makes the fraud total approximately $120 billion. Only 496 suspects were ever prosecuted for crimes totaling $581 million in losses.  Whatever became of the other $119.5 billion that was stolen is anybody's guess, but much of it was believed to have been moved offshore.
• Can you rent a wreck?  You can if you rent a botnet from a cyber gang only to use it to wreck a business or government agency via a DDoS attack.  A directed denial of service attack can be used to cripple any business or government computer network by bombarding it with a flood of traffic that slows the server to a crawl.  Where in the past cyber criminals would use these attacks to force businesses to pay up, some cyber gangs now prefer to let their affiliates carry out these malicious attacks as long as they pay a portion of the ransom to the gang.  These same gangs are just as likely to sell their affiliates stolen credit card numbers, healthcare records or fake user accounts gleaned from their nefarious activities.
• Can you be shamed to death? It used to be that only philandering spouses were vulnerable to extortion for being caught having an affair, but not any more.  Now unscrupulous cyber criminals have turned sextortion into a lucrative industry that targets everyone from starlets to teenagers into paying up or having lurid photos or videos of them posted online.  Once the trap is sprung, the threats can ramp up to the point where the victim may consider ending their own life rather than suffer the humiliation of having their sexual indiscretion revealed to one and all.  These sexual extortionists prowl social media sites looking for easy prey.  Many of the victims families fail to realize until it's too late that their loved ones have been targeted.   What most victims fail to realize is that the majority of these attacks are being perpetrated by international cyber criminals.  Only last year, the FBI working with Interpol managed to get 40 sextortionists arrested in the Philippines.  However, that's just a drop in the bucket.  Recent hotbeds of sextortion have included the Eastern Europe, the Ivory Coast, Nigeria, and Morocco.
• Who are you? Phone call scams have been fleecing citizens out of their hard-earned money for more than a decade.  But AI-enabled phone scams can make it sound as if you're receiving a call from your spouse, your child, your boss, or your own mother.  That makes it doubly likely that you'll fall prey to a fraudster.  Some cyber crime syndicates can even use sophisticated AI video software to do a clone of the person they're emulating good enough to use on a videocall.  You can bet this kind of service is going to be on the menu at FaaS outlets in the near future.
• Fraud-as-a-service is bad enough on its own.  When bad actors add artificial intelligence to the mix, it makes this growing scourge all but unstoppable.  Instead of having to write their own malicious computer code or phishing messages, the advent of AI has made hacking and phishing as easy as point and click.  AI can also be used to detect and evade countermeasures used to keep computers free of malware.  Cyber gangs have even started to develop AI-enhanced hacking tools they can sell or lease to hackers that makes it child's play to penetrate systems they have no prior knowledge of.  
• If you expect the FBI to come to the rescue, you're in for a rude awakening.  Due to the convoluted nature of international cyber crime, the FBI has found it difficult to track, much less prosecute the heads of international hacking rings, especially if they're located in such places as China, Russia, Iran, or North Korea.  

How can you defend yourself against FaaS augmented with AI?

Image courtesy pxhere

1. Never take a third-party's word that they are who they seem to be.  That's how most victims wind up getting in trouble by divulging sensitive information.  If you get an unsolicited call, text or email from someone you know letting you know that they or you are in deep trouble, tell them you'll get right back to them.  Then dial the company's home office, or text any friend or relative who was trying to rattle you to make sure you're dealing with the real deal and not a deepfake.
2. If you use smart-devices or a smart assistant of any kind, make sure they haven't been compromised by hackers.  If that should happen, hackers can eavesdrop on your conversations or take control of other nearby IoT devices.  The best way to detect this kind of hack is to enroll in a service that can monitor your network and alert you to unauthorized users.
3. If you run a business, consider adding redundant payment verification to your point of sale system that will alert you to potentially fraudulent transactions.  Batch analysis can also be employed to detect unusual activity on your network that can alert you to hacking activity.  Consider creating a designated fraud officer in your business to verify orders before processing them to make sure they're legit.
4. Parents need to monitor their children's online activities to prevent them from becoming victims of sexual predators, online con artists, and cyberbullies.
5. Review you, your family, and your employees online habits to make sure nobody in your inner circle inadvertently compromises your cyber security.  All too many people make it easy for hackers by revealing too much information online or by failing to update their passwords yearly.  Learn how to recognize and avoid clickbait.  Last but not least, make sure you install and update anti-malware software that's your first line of defense against hackers.

Catherine Powell is the owner of A Plus All Florida, Insurance in Orange Park, Florida.  To find out more about saving money on all your insurance needs, check out her website at http://aplusallfloridainsuranceinc.com/