Criminals Are Eyeing Up ChatGPT for Wire Fraud

Wire Fraud Risk

ChatGPT has piqued everyone’s curiosity – at least, in the business world – and in the cyber world there are potential implications that have us very worried!

In cybersecurity circles, we’re concerned about the potential for the application of ChatGPT to support advanced wire fraud attacks. An obvious play for criminals is using ChatGPT for the creation of ingenious social engineering attacks supported by online (e.g., open source) content that would convince and seemingly confirm for the recipient that the sender is who they pretend to be, when nothing could be further from the case. Now, non-English speaking criminals will be able to craft these socially engineered emails with excellent grammar and perfect punctuation, resulting in wire transfer requests and confirmations that will appear genuinely valid.

But that’s not all! We fully expect fraudsters to use the technology behind ChatGPT to provide deepfake audio and verbal confirmations for changes to investor wiring information. Imagine your finance department receives an e-mail for a change in wiring instructions. No problem – per your wire transfer policy, the team is about to place a call to the sender to confirm the wire.  But before they can make that call, they receive a call from the sender with their CALLED ID (which is very easy to spoof) and their exact voice on the other line to reaffirm that the change is correct. There is a full, logical conversation that takes place, and the wire transfer is confirmed. While your policy should state that you MUST place an outbound call to confirm, this process is seemingly not needed. Or is it??? After all, if you can’t believe the person with whom you’re speaking, who can you believe? And if they sound like you think they sound, then it must be real, right? Thanks – or no thanks – to AI, not necessarily.

BW Cyber strongly recommends that you always require a verbal call back confirmation for any wire transfer, whether that be with a new investor or an existing one. The phone number for the call back must be from your records, and not in the footer of the e-mail or on the invoice. Every single time.

For more information on how BW Cyber can assist you, please contact us at info@bwcyberservices.com.