In May, 2024, the FBI warned about the increasing threat of cybercriminals using Artificial Intelligence (AI) in their scams.
At the time, FBI Special Agent in Charge Robert Tripp said:
“Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. These sophisticated tactics can result in devastating financial losses, reputational damage, and compromise of sensitive data.”
This warning should not be taken lightly. This is especially because the AI tools that cybercriminals have at their disposal are relatively low cost: In one study, researchers found that the cost of advanced and sophisticated email attacks starts at just $5.
The FBI has also warned users to be cautious when receiving unsolicited emails or text messages. Phishers are using AI-based phishing attacks which have proven to raise the effectiveness of phishing campaigns. They are also using AI-powered tools to create emails that can bypass security filters. Combine that with deepfake supported robocalls, and these methods could trick a lot of people.
None of the elements used in the attacks are novel, but the combination might make the campaign extremely effective.
In a campaign targeting Gmail users some of these elements all came together. These often start with a call to users, claiming their Gmail account has been compromised. The goal is to convince the target to provide the criminals with the user’s Gmail recovery code, claiming it’s needed to restore the account.
Around the same time, users receive legitimate looking emails from what appears to be an authentic Google domain to add credibility to what the caller is claiming to have happened.
With the recovery code, the criminals not only have access to the target’s Gmail but also to a lot of services, which could even result in identity theft.
When we warn about agentic AI attacks this is the type of campaigns that are examples of what we can expect.
The FBI added a warning about unsolicited emails and text messages which contain a link to a seemingly legitimate website that asks visitors to log in, but the linked websites are fakes especially designed to steal the credentials.
As we have seen in the past these sites can even be designed to steal session cookies. Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system. And if cybercriminals manage to steal the session cookie, they can log in as you, change the password and grab control of your account.
How to avoid AI Gmail phishing
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.