Since ChatGPT launched in November of last year it’s proved endlessly useful, with workers all around the world finding innovative ways to apply the technology every day. However, such is the power of AI tools that they can also be used for insidious ends, such as writing malware scripts and phishing emails.
Along with utilizing artificial intelligence to orchestrate scams, over the past six to eight months, hackers have been spotted leveraging the hot topic to extort people out of money and steal their information via fake investment opportunities and scam applications.
AI scams are among the toughest to identify, and a lot of people don't invest in tools like Surfshark antivirus, which warns users when they're about to head on to suspicious websites or download a shady app. So, we’ve put together this guide of all the common tactics that have been observed in the wild recently. All in all, in this article, we cover:
- AI Scams: How Common Are They?
- AI-Assisted Phishing Scams
- Social Media AI Scams
- AI Voice Cloning Scams
- Fake ChatGPT Apps
- Fake ChatGPT Websites
- AI Investment Scams
- AI Scams: They're Only Going to Get Worse
AI Scams: What Are They, and How Common Are They?
As we alluded to in the intro to this article, “AI scams” can refer to two different genres of scams, examples of which have sprung up regularly during 2023.
In AI-assisted scams, artificial intelligence helps the scammer actually commit the scam, such as writing the text for a phishing email. In general AI scams, the hacker is leveraging the popularity and zeitgeisty nature of AI as a topic to intrigue curious targets, such as a fake ChatGPT app scam. This works because so many people are trying to either make money out of ChatGPT, or use it to save time in their jobs.
The California DFPI has charted a rise in AI investment scams, while cybersecurity firms such as McAfee have observed an uptick in AI voice cloning scams in recent months.
ChatGPT's explosive release also led to a wave of malicious domains being created, which will also be discussed in this article.
Recently, Apple co-founder Steve Wozniak – a recent signatory to a letter calling for a pause to AI development – warned that artificial intelligence will make scams much harder to spot, and allow malicious actors to sound increasingly convincing. The era of AI-assisted scams is here.
Much like ransomware-as-a-service lowered the level of technical ability needed to attack a company, AI tools like ChatGPT means pretty much anyone can sound convincing, so in theory, a larger demographic can now orchestrate them effectively.
AI-Assisted Phishing Scams
Phishing scams have been around for years – scammers will send out emails or text messages masquerading as a legitimate company, such as Microsoft, in an attempt to get you to click on a link, which will lead you to a malicious website.
From there, a threat actor can inject malware into your device or steal personal information such as a password. Historically, one of the easiest ways to spot them has been spelling and grammar errors that a company as prestigious as Microsoft would simply not make in an official email to its customers.
In 2023, however, with a simple prompt, you can prompt ChatGPT to generate clean, fluid copy that doesn’t contain any spelling mistakes. This makes it a lot harder to distinguish between legitimate correspondence and phishing attacks.
If you explicitly ask ChatGPT to create an email for the purpose of phishing, the chatbot refuses to do so. However, we asked ChatGPT to produce two different types of emails that could feasibly be used as a template for a phishing scam, and surprisingly, it seems these sorts of requests aren't blocked under its content rules:
Protecting yourself from AI Phishing Scams
If you receive an email that seems like it’s from a legitimate company, but it’s trying to inject a sense of urgency into your decision-making (like asking you to pay a fine, or log into your account to avoid it being deleted), treat it with extreme caution. This is a typical phishing tactic.
Remember, if you think the email is most likely genuine, you can always open a fresh line of communication with the person or the company.
For example, If you get a suspicious-looking email from your bank saying your account has been accessed by an unauthorized third party, don’t respond to the email – simply contact the bank’s customer service team yourself, using the number or address listed on their website.
Social Media AI Scams
Recently, cybersecurity firm Checkpoint spotted a new kind of AI scam doing the rounds on Facebook. They've observed threat actors creating fake Facebook pages purporting to advertise “enhanced” versions of AI tools, such as “Smart Bard”. In reality, the product does not exist.
In the scam, threat actors use sponsored posts featuring these Facebook pages to target advertisements to unsuspecting users, which include links to malicious domains. Once users visit the domains, the scammers attempt to coax them into downloading ‘AI software' that's actually info-stealing malware.
Users that have fallen for the scam and downloaded it have their passwords, and other sensitive information, extracted from their devices and sent to a server maintained by the threat actors.
What's concerning about this scam is the great lengths that the threat actors have gone to to make their Facebook pages look legitimate, including using an army of bots to leave positive comments all over their posts. Some of the pages, Checkpoint says, had huge numbers of likes. At a glance, it all looks pretty legitimate – which is never a good sign.
(Image Credit: Checkpoint)
Protecting yourself from social media AI scams
Remember, just because a page on social media has lots of likes and lots of engagement on its post, doesn't necessarily mean it's legitimate – it's surprisingly easy to either purchase or artificially manufacture this air of legitimacy on social media.
Social media is a hotbed for scams, so interacting with pages you've never seen before, promising enhanced versions of existing software, should be treated with suspicion. On top of this, a quick Google search will reveal that programs like “GPT-5” and “Bard V2” don't actually exist (yet, anyway). These sorts of wild promises are telltale signs that something may just be too good to be true – and in this case, it is.
Similarly, the presence of legitimate-looking links – which can easily be inserted into page description boxes and posts – does not negate the possibility that other links might be malicious. If you want to download a chatbot, go directly to the company or organization's website, rather than a link on social media.
AI Voice Cloning Scams
AI Voice scams are a type of AI-assisted scam that have been making the headlines in recent months. A global McAfee survey recently found that 10% of respondents had already been personally targeted by an AI voice scam. A further 15% reported that they knew someone who had been targeted.
11% of US victims who lost money during AI voice cloning scams were conned out of $5,000–$15,000.
In AI voice scams, malicious actors will scrap audio data from a target’s social media account, and then run it through a text-to-speech app that can generate new content in the style of the original audio. These sorts of apps can be accessed online for free, and have legitimate non-nefarious uses.
The scammer will create a voicemail, or voice note depicting their target in distress and in desperate need of money. This will then be sent out to their family members, hoping they’ll be unable to distinguish between the voice of their loved one and an AI-generated version.
Protecting yourself from AI voice scams
The Federal Trade Commission (FTC) advises consumers to stay calm if they receive correspondence purporting to be from a loved one in distress and to try ringing the number they've received the call from to confirm that it is in fact real.
If you think you're in this position and you can’t ring the number, try the person in question's normal phone number. If you don’t get an answer, attempt to verify their whereabouts by contacting people close to them – and check apps such as Find My Friends if you use them, to see if they’re in a safe location.
Fraudulent ChatGPT App Scams
Just like any other major tech craze, if people are talking about it – and more importantly, searching for it – scammers are going to leverage it for nefarious means. ChatGPT is a prime example of this.
A recent report from Sophos found a plethora of ChatGPT-adjacent apps that it has dubbed “fleeceware”. Fleeceware apps provide a free program with limited functionality and then bombard users with in-app adverts until they sign up for an overpriced subscription.
According to the cybersecurity firm, “using a combination of advertising within and outside of the app stores and fake reviews that game the rating systems of the stores, the developers of these misleading apps are able to lure unsuspecting device users into downloading them”.
One fake ChatGPT app called Genie, which offers $7 a week or $70 a year subscriptions, made $1 million over a monthly period, according to SensorTower. Others have made tens of thousands of pounds. Another, called “Chat GBT” on the Android store, was specifically named in Sophos's report:
(Image Credit: Sophos)
According to the cybersecurity firm, the ”pro” features that users end up paying a hefty sum for are “essentially the same” as the free version. They also report that, before the app was taken down, the reviews section was littered with “comments from people who downloaded the app and found it didn’t work – either it only showed ads or failed to respond to questions when unlocked.”
Protecting yourself from fake ChatGPT app scams
The simplest way to ensure you don’t incur these sorts of subscription fees – or download unwanted malware – is to simply not download the apps. iPhone users can now download the official ChatGPT app, which has recently launched. It'll be intriguing to see whether this marks the demise of the fake ChatGPT apps currently populating the App Store.
Alternatively, both iOS and Android users can add a ChatGPT web link to their home screen, and if you're an iPhone user, you can create a Siri shortcut that will take you straight to ChatGPT on the web. There's little practical difference between the home screen shortcut and a native application in this context.
Fake ChatGPT Websites
Along with fake ChatGPT apps, there are also a bunch of fake ChatGPT websites out there, capitalizing on the huge search volume around the term.
In February 2023, Twitter user Alvosec identified four domains that were all distributing malware under a ChatGPT-related name:
⚠️ Beware of these #ChatGPT domains that distributes malware
— Alvosec ⚛️ (@alvosec) February 23, 2023
Some reports have noted that fake ChatGPT websites have been presenting OpenAI’s chatbot as a downloadable Windows application, rather than an in-browser application, allowing them to load malware onto devices.
How to Protect Yourself from Fake ChatGPT Websites
Remember, ChatGPT is an OpenAI product, and the only way to access the chatbot is via the mobile app, or through their domain specifically. “ChatGPT[.]com”, for example, has nothing to do with the real, legitimate ChatGPT, and you can't download ChatGPT like it's a software client.
Strangely enough, The URL for the legitimate ChatGPT sign-up/login landing page doesn’t even have the word “ChatGPT” in it: https://chat.openai.com/auth/login.
You can also sign up via OpenAI's blog (https://openai.com/blog/chatgpt), but again, this is part of the OpenAI domain. If someone sends you a link to a ChatGPT site that doesn't lead to one of the above addresses, we’d advise not clicking on it, and navigating to the legitimate site via Google instead.
AI Investment Scams
Much like cryptocurrency, scammers are leveraging the hype around AI – as well as the technology itself – to create fake investment opportunities that seem genuine.
“TeslaCoin” and “TruthGPT Coin” have both been used in scams, piggybacking off the media buzz around Elon Musk and ChatGPT and portraying themselves as trendy investment opportunities.
California's Department of Financial Protection & Innovation alleges that a company called Maxpread Technologies created a fake, AI-generated CEO and programmed it with a script encouraging punters to invest (pictured below). The company has been issued a desist and refrain order.
(Image Credit: coinstats.app)
Forbes reports that another investment company, Harvest Keeper – which the DFPI says collapsed back in March – hired an actor to masquerade as their CEO in order to reign in enthused customers. This illustrates the lengths some scammers will go to to ensure that their pitch is realistic enough.
Protecting yourself from AI investment scams
If someone you don’t know is reaching out to you directly with investment opportunities, treat their tips with extreme caution. Worthwhile investment opportunities do not tend to fall into people's laps in this way.
If it sounds too good to be true, and someone is offering you guaranteed returns, don't believe them. Returns are never guaranteed on investments and your capital is always at risk.
If you're someone that regularly invests in companies, then you'll know the importance of doing your due diligence before parting with your hard-earned cash. We'd recommend applying an even higher level of scrutiny to prospective AI investments, considering the buzz around related products and the prevalence of scams.
AI Scams: They’re Only Going to Get Worse
In 2022, US consumers lost a huge $8.8 billion to scams – and it’s unlikely that 2023 will be any different. Periods of financial instability often correlate with increases in fraud too, and globally, a lot of countries are struggling.
Currently, artificial intelligence is a goldmine for scammers, Everyone is talking about it, yet few are really clued in on what’s what, and companies of all shapes and sizes are rushing AI products to market. Ethical questions relating to AI are only starting to attract the attention they deserve.
Right now, the hype around AI makes it about the most downloadable, investible, and clickable subject on the internet. It provides the perfect cover for scammers.
It’s important to keep up to date with the latest scams doing the rounds, and with AI making them much harder to spot, this is all the more important. The FTC, FBI, and other federal agencies regularly put out warnings, so following them on social media for the latest updates is strongly advised. On top of this, with a huge range of legitimate AI training courses now available, it's important to keep your wits about you when signing up for classes or services.
However, we’d also recommend purchasing a VPN with malware detection, such as NordVPN or Surfshark. They’ll both hide your IP address like a standard VPN, but also alert you to suspicious websites lurking on Google Search results pages. Equipping yourself with tech like this is an important part of keeping yourself safe online.