With AI at their disposal, financial scammers are on the rise
ArtMarie via Getty Images
The rise of artificial intelligence, access to sensitive data on the dark web, and a lack of federal oversight for these crimes means it’s never been easier to be a scammer, security experts say.
This story was originally published by News From The States, a part of State Newsroom.
It started with a seemingly routine reminder for Nancy Hall to update her Norton antivirus software.
The 69-year-old Philadelphia resident sat down at her laptop to file her taxes recently and was prompted to call a number that was said to be the software company’s customer support. She had been hacked, the message said.
“It said, ‘you must call Microsoft right away, or else, you're in danger of losing everything,’” Hall said.
A man on the line claimed to be in talks with her bank, saying hackers managed to download child pornography to her computer and transfer $18,000 to Russian accounts overnight.
He told Hall he was transferring her to the fraud department at her bank, where she spoke to someone who knew details about her local branch. After verifying personal details, that person asked her to come in to make a cash withdrawal that she could then use to purchase cryptocurrency at a specific ATM.
The pair told her she was at threat of being arrested by Homeland Security for what was found on her laptop unless she obliged.
After a few stressful hours of trying to sort out the situation, something clicked, Hall said — a friend was scammed out of $800,000 in retirement savings last year after being persuaded to purchase cryptocurrency in an emergency. Hall hung up the phone, then blocked the number when it continually called her back.
Financial crimes, or scams like these, have always been around, experts say. But the rise of artificial intelligence, access to sensitive information on the dark web, and a lack of federal oversight for these crimes means it’s never been easier to be a scammer, security experts say.
“AI has made these things so believable,” said Melissa O'Leary, a Portland, Maine-based partner and chief strategy officer at cybersecurity firm Fortalice Solutions. “Sometimes you can’t tell, ‘is this legitimate or not?’”
Hall’s experience mirrors many of the thousands of well-established attempts at tech-enabled financial crimes currently underway in the U.S. Scammers often pose as trusted corporations, government departments or as someone a victim knows. Many companies that have been spoofed, like Norton, put out warnings about these scams.
They also use heightened emotional responses and a sense of urgency to get you to transfer money or release personal details, cybersecurity experts say.
“Now I look back on it, I'm like, ‘how was I so stupid to say stay on the line that long?’” Hall said. “But then I look at this girl I know, and they managed to get her to go all the way.”
The Business of Scamming
The Federal Trade Commission reported the overall loss Americans experienced via financial scams in the 2023-2024 fiscal year to be between $23.7 billion and $158.3 billion. The figures differ so much because so many losses go under or unreported, the FTC said in the report.
Matthew Radolec, D.C.-based vice president of Incident Response and Cloud Operations at data security firm Varonis, said he sees these phishing attempts in two parts; the scam is the technique being used to get access to money, and the actual crime itself is the loss of the money.
Because these crimes are digital, it’s hard to know who to report them to, or how to follow up. Many scammers also ask for cryptocurrency payments, or transfer them to crypto accounts shortly after the transaction.
“There's no insurance for accidentally wiring someone $10,000,” Radolec said. “If you fall for a ruse, you fall for a ruse. It’s like a carnival trick, a sleight of hand. It’s a digital form of that.”
Kimberly Sutherland, the Alpharetta, Georgia-based vice president of fraud and identity at LexisNexis Risk Solutions, said they’ve seen a 20% year-over-year increase in digital fraud since 2021, affecting as much as 1.5% of all transactions, though many of those attempts are caught before they can go through.
A large part of their efforts are focused on monitoring new account openings and payments, as fraudsters want to either create a fraudulent account at the start, or they want to be able to intercept transactions as they’re happening, Sutherland said. They’ve also had to evolve their monitoring strategies, as over the last few years, there’s been a shift from laptop and desktop targeting to mobile attacks, she said.
A few decades ago, scammers were focused on getting enough information from a company or individual to pull off a fake transaction. But as data breaches have become more common, the personal data unearthed makes it easier to pose as someone a victim knows, or give them details to become trustworthy.
Sutherland said the concept of synthetic identities — carefully crafted digital profiles of someone who doesn’t actually exist — have also deepened criminal’s abilities to get access inside of a variety of institutions like banks, colleges and corporations.
“You don't have to steal an identity of someone; why not create a brand new one?” Sutherland said. “It started with jokes like, ‘I can get a credit card in the name of my dog,’ and it became sophisticated fraud rings who could actually create identities and nurture them to be used by others.”
Individuals and companies are not the only ones at risk of financial scams — government institutions have reported an increase in financial crimes in recent years. In California, community colleges have reported at least $5 million in losses to AI-simulated students who applied for financial aid.
One of the most current, wide-spread scams are texts and alerts from toll payment agency E-ZPass, asking a user to pay an outstanding bill at the included link. Last year, E-ZPass said the FBI’s Internet Crime Complaint Center had received more than 2,000 complaints about the texts. Those who had filled out the included form should contact their banks, the company said.
It’s similar to a longstanding scam posing as UPS trying to deliver a package — it plays on our human nature of trust and curiosity, O’Leary said.
How AI is playing a role
AI has lowered the barrier for setting up a scam, O’Leary said. Those looking to lure someone to wire money or purchase cryptocurrency need some space on a server or in the cloud, and some sort of infrastructure to reach out to victims. Many programs that can be used to fake a persona, to send out mass text messages or phishing links are as easy as downloading an app.
“It’s almost a step by step for someone who wants to make a quick buck,” O’Leary said.
Large language models and AI chatbots can easily be prompted to sound like someone else, and give non-English speakers a much easier ability to communicate, O’Leary said.
Radolec has seen an uptick in AI bots being used to gain credentials to company databases or pay systems. Bots can hold legitimate conversations with a target to build rapport, and plant phishing scams to gain passwords in standard documents.
“The next thing you know, you can log in as me,” Radolec said.
From there, scammers can divert paychecks to offshore accounts, sell data on the dark web or plant further phishing attempts in internal systems.
Because of the rapid advancements in AI technologies, phishing attempts and scam strategies are constantly changing. Now, AI tools can help alter legitimate images, and create deepfakes, or likenesses of someone’s image or voice, in just a few minutes. It’s the strategy behind an increasingly common scam on grandparents — they get a call from someone that sounds exactly like their grandchild, saying they need a wire transfer or cash for bail.
Many digital scams target older people, both because they’re expected to have less technical knowledge to spot a ruse, and because they tend to have larger sums of money accessible, Radolec said. In its report, the FTC estimated between $7.1 billion and $61.5 billion in losses for older adults.
This week, AARP, Amazon, Google and Walmart partnered on a new initiative that will be based out of Pittsburgh, called the National Elder Fraud Coordination Center, an attempt to tap in private companies who have resources in data privacy to assist in national law enforcement investigations. Its founder and CEO, former FBI agent Brady Finta, said that the technical side of these crimes are often partnered with an emotional side, like pretending to be a family member in trouble.
“They're talking you through the crime,” Finta said. “They're adding this anxiety and thought process to you and to overcome your normal decision making processes.”
Legislation and enforcement
There are hundreds of thousands of victims of financial scams each year, and they’re reporting them to different places — local police, state organizations, federal agencies, and the tech platforms where the crimes occurred, Finta said. Part of the reason some financial scams go unreported is that there’s not one clear route, government agency or law enforcement agency that has ownership over them.
That was also the consensus of a new report by the Government Accountability Office, FedScoop reported this month. There are 13 federal agencies, including the FBI, CFPB and the FTC, that work to counter scams, but they do not share one overarching strategy.
Finta is hoping that leveraging the private sector data from their partner corporations can help connect some fraud cases across the country and make these investigations more comprehensive.
While the FTC has the Fraud and Scam Reduction Act, which aims to raise awareness of financial scams, there’s no official federal protection or legislation on this topic. Some states are passing consumer protection laws that put some liability on banks to do due diligence on fraud and even reimburse customers for fraudulent transactions.
And the U.S. may be facing less protections than it currently has. Susan Weinstock, CEO of the Consumer Federation of America, said she’s worried that Congress just voted on a resolution under the Congressional Review Act that removed the rule that required digital payment apps like Venmo and Apple Pay to be regulated for fraud.
“Years ago, nobody had heard of Venmo or CashApp, and now these things are ubiquitous,” Weinstock said. “So it puts consumers in a really tough, scary position to be subject to fraud and not have the ability to deal with it.”
Because the strategies behind these financial scams change often and because there are few ways to track these crimes after they happen, a lot of responsibility falls on individuals and institutions to be able to spot them. Radolec’s first piece of advice is to slow down. If it really is your grandson calling from jail? Is it the end of the world if he spends a night in jail, he said.
Adding another person into the loop of communication is another strategy that will usually knock off an impersonator. If it appears to be a higher-up at work making a strange request for access to your finances, there’s no harm in looping in another person to review, Radolec said.
Lastly, the cybersecurity experts all said, it’s always safer to get in contact with the original source. If someone on the phone says they’re with your bank, hang up and call the bank directly to verify information.
“A lot of times they're trying to create a sense of urgency that's from a false place, so how can we ground ourselves?” Radolec said. “And can we ask, is this truly like a life or death situation that you have to act on right now? Or can time be in our favor?”