You are currently viewing AI hacking scams are on the rise – here’s how to protect your money, points and miles

AI hacking scams are on the rise – here’s how to protect your money, points and miles

In 2023, the Federal Trade Commission received 2.6 million fraud reports totaling $10 billion lost to scams, the highest annual loss ever reported. Of those reports, the overwhelming majority were imposter scams where a fraudster impersonates a bank’s fraud department, the government, a business, a relative, a love interest or a technical support representative.

As artificial intelligence becomes easier to access and more sophisticated, it is quickly rising through the ranks as an effective way for scammers to gain access to your accounts, draining them of money or points and miles.

The FTC is actively seeking to thwart AI-generated so-called deepfakes by enacting a rule prohibiting the impersonation of individuals. A deepfake is an image or video that has been digitally manipulated using a form of AI called deep learning. This technology allows fraudsters to make it appear as if someone is saying or doing something that never happened.

This would be an extension of an existing rule against impersonating businesses or government officials.

In fact, the FTC issued a consumer alert last year warning people against scammers who use AI to clone a loved one’s voice in an attempt to have you send them money. Not only can they impersonate the voice of someone you know, but they can also use AI to generate fake images to make their story more convincing.

How is AI being used by scammers?

“Someone could impersonate your child’s voice and tell you that they are out of town, lost their phone and need money right away,” Adrianus Warmus, a cybersecurity expert at NordVPN, told TPG. “They can then use an AI tool to scrape that person’s Facebook or Instagram and create an image that ‘proves’ it’s really them reaching out to you from wherever they say they are,” he explained.

person using card on computer

Playing to your emotions is not the only way scammers use AI technology to separate you from your money and travel funds.

Related: How and why you should use a VPN internet connection while traveling

Scammers can also use AI to spoof an email address. “It’s possible to impersonate or take over an email address and use AI to even impersonate someone’s writing style to make it sound convincing,” Jeff Reich, executive director at the Identity Defined Security Alliance, told TPG.

Another common method is what is called a “credential stuffing” attack. Michael Jabbara, a vice president and global head of fraud services at Visa, explained:

A hacker is not usually looking to target you directly; they’re looking to hack tens or hundreds of thousands of people all at once. One of the popular ways that they’re targeting loyalty accounts specifically is “credential stuffing.” When a company has a data leak involving a bunch of usernames and passwords, scammers can use automated scripts and other innovative fraud technologies to run those username and password combinations through numerous websites to gain access to your other accounts.

How could scammers use AI in the future?

A less common scam on the rise that may be cause for concern as the technology progresses is creating deepfake videos.

“You can already use AI for live lipsyncing and voice translation, like with an AI-generated version of Argentina President Javier Milei’s speech at the World Economic Forum earlier this year,” Warmus said. “Even Snapchat and Instagram filters use AI technology,” he added.

Woman using a computer

“Eventually, people could use AI to impersonate someone else on video. When we get to that point, even a video call will not be sufficient to verify you are speaking with the person you think is sitting in front of you. I think it could get to the point where if your bank wanted to have a video chat with you to verify your identity for a transaction, someone could have AI technology to provide your face and voice on video,” Warmus said.

Banks and loyalty accounts work hard to keep our sensitive information safe, but fraudsters constantly try to outthink them.

“I think the trust will pretty much erode on the internet,” Warmus said. “As the banks get better, so do the criminals. Ultimately, the criminals will win because so many techniques will be available to them. Law enforcement and banks have limited time and resources, but criminals have all the time and motivation in the world,” he continued.

How can you protect your information from AI scams?

woman on laptop

Have a family verification method

Knowing that there is a threat of someone having the ability to impersonate one of your family members, it’s important to have a verification method in place. Reich recommends a two-step approach.

“The first thing you can do is tell them you are going to call them back [or their parents if they claim to be a grandchild or younger family member] to see if they actually are in the situation they say they are,” Reich said. “Second — and this is where it pays to watch spy movies — is to have a secret family password,” he added.

Related: Key travel tips you need to know — whether you’re a first-time or frequent traveler

Your password should be something only someone in your family would know. Alternatively, you could ask your family member a question only they would know the answer to, like where you went on your last ski trip. (Hint: the correct answer could be that you’ve never been on a ski trip.)

It’s also important to let those close to you know when you are traveling. This should set off your internal alarm bells if anyone claims to be you and purports to be somewhere other than you told them you’d be.

Be alert if there is a sense of urgency

A legitimate business will not try to rush you or push you to make rash decisions. “Any scammer trying to defraud you wants to keep you engaged,” Reich said. “They don’t want you to go somewhere else for any validation, and they want you to act quickly,” he continued.

Reich warns against responding to that sense of urgency (unless, of course, you truly believe someone is in imminent danger). “Instead, take a moment to ask yourself if you believe what they are saying is true and if what they are asking you to do is legitimate,” Reich said. “If you have even a small doubt, come up with another way to validate what they are saying.”

Report fraud or fraud attempts

If you receive a suspicious phone call or email, there are steps you can take to stop them from contacting you again.

If it is a phone call, you can block the phone number, and most carriers also allow you to report a phone number as junk or spam. When we all work together to do this, the phone companies can use the data to mark calls as spam or block them from reaching your phone altogether.

You can do the same with emails. If something about the email seems off, you can report it as spam or phishing and block the sender.

If you have been a victim of fraud, you should contact your bank or loyalty account customer service and alert them that there has been fraudulent activity on your account. They can assist you in recuperating lost funds, points or miles. You should also report the scam to the FTC. The FTC uses this data to look for trends and educate the public on what to look out for.

Regularly monitor your account activity

It’s a good idea to check your account balances, recent transactions and points and miles balances at least once weekly. If you see anything out of the ordinary, contact customer service immediately.

Set up account notifications

When life gets busy, daily account checks may slip your mind, but most banks and loyalty accounts allow you to set up alerts that will trigger a notification anytime a change is made to your account. This could be a transaction or a change to your account profile, like if someone were to attempt to update your email address or phone number.

The exact steps for this will vary by company, but you will typically sign in to your account, go to your profile settings and there should be an option for “alerts” or “notifications” that you can customize. Most loyalty programs will send a confirmation email when you redeem points, so checking to ensure your email and phone number are up to date on your accounts is also important.

According to Jabbara, this — along with the other steps mentioned here — are “low frequency, high-impact steps” that can keep your accounts safe.

Never give out sensitive information over the phone or via email

In short, there is no reason for a company to call or email you and ask for your information.

“If your bank is calling you, they should already know who you are. There is no reason for them to ask you to verify your identity,” Reich said. This applies to your credit card number, your password or any other sensitive information. “If this happens, call the number on the back of your credit card or call the customer service number on the bank’s website directly.”

Never use the same password on multiple accounts

If multiple logins use the same password, a data breach on one account could help a fraudster access any other account that uses the same password. This goes back to the credential-stuffing scam we mentioned earlier. You want to make it harder — not easier — for a scammer to access your accounts. If you use the same password for every account, they can get into all of those accounts if even one is a data breach victim.

Reich recommends using a password manager so that you can have unique passwords for every account while only having to remember one “master password.” Find a way to remember that one password without writing it down or storing it electronically.

Reich uses a combination of numbers, letters and special characters to create a phrase that is easy for him to remember but hard for someone else to guess.

You can also change your passwords regularly as an additional layer of security.

Set up 2-factor authentication on your accounts

Two-factor authentication and multifactor authentication require you to present at least two types of authentication to gain access to your account. Two-factor authentication and multifactor authentication ensure that nobody (including you) can access your account with only your username or password. This could be a text message sent to your phone, an email, an authenticator app or a physical token that you can plug in or tap to your phone or computer.

You can enable 2FA or MFA through your online account or mobile app for most accounts. You will usually see options to add or update 2FA and MFA in your profile’s “security” section. If you can’t find these settings, contact your institution for instructions.

Consider using a passkey

A passkey secures your accounts like a password does, but you don’t have to remember or type in a password. “A passkey is something that is tied to your identity; you don’t have to type it in. It’s basically a secure digital verification,” Warmus explained.

You may already be using a passkey without even thinking about it. Facial recognition, fingerprint recognition and voice recognition are all types of passkeys.

Set up phone passphrases for your credit card accounts and your phone carrier

Some institutions will ask you to confirm your mother’s maiden name as a security measure, but this information is easy for a scammer to find. Instead of using this easy-to-find detail, call and set up a unique passphrase that you can give over the phone to further secure your accounts.

If you have a passphrase set up, when someone calls your bank or telecom provider, they’ll ask for your passphrase before they enable any changes to your account.

Subscribe to a credit monitoring service

If you have a credit card account, you are likely eligible for at least one free credit report every year. This will give you information on your credit score, credit history and accounts that have been opened or closed.

Some also offer identity monitoring services that can alert you if your personal information is compromised. You can also sign up for an identity monitoring service like Credit Karma (free) or LifeLock (starting at $7.50 per month).

Most credit and identity monitoring services also allow you to set up alerts so you can receive a text or email if they identify any breaches or changes.

Use a VPN when you are away from home

A virtual private network, or VPN, can protect your internet connection and privacy by encrypting the data you enter on the internet. This is especially important when you are using public Wi-Fi networks.

“When you are away from home, always use a VPN because you don’t know the infrastructure or the people managing the connection in the destination you are visiting,” Warmus warned.

Companies like McAfee, NordVPN and Surfshark offer VPNs, sometimes as part of a larger digital protection package.

Bottom line

The future of online security may sound bleak, but the experts we spoke with reassured us that it’s not as scary as it sounds. There are things you can do to protect yourself from being a victim of fraud. These steps are simple yet effective at keeping yourself and your information safe.

Related reading: