What to know about AI-generated scams

As tax season approaches, scams about refunds, tax forms and account issues become more common and are designed to pressure you into acting fast.

"This is a prime time for scams, and universities are being affected," said Tim Schwab, the university's chief information security officer. "We're seeing attackers use artificial intelligence to make scams more realistic, and in some cases, send them to thousands of people within minutes." 

To help employees navigate this evolving landscape, Teresa Banks, who leads the university's information security awareness and training program, is sharing what to watch for, along with a few easy steps you can take to protect yourself.

Image

AI cyber threats on the rise

Phishing remains the most common way attackers gain access to systems, and AI has dramatically increased its effectiveness, with phishing attacks increasing by more than 1,200% since the launch of the AI tool ChatGPT. Today's phishing messages are often personalized using publicly available information, such as social media posts or professional profiles, and no longer contain the obvious spelling or grammar errors that once made scams easier to detect.

Deepfake and Business Email Compromise (BEC) scams also pose growing security risks to organizations and employees. Deepfakes use AI-altered video, audio or images to pose as trusted colleagues or leaders, while BEC attacks involve criminals impersonating or accessing trusted email accounts. In both cases, messages create urgency and pressure recipients to share login credentials, download malicious software, initiate wire transfers or purchase gift cards.  

"While this may sound like science fiction, AI-generated scams are a real and growing cyber threat, across the globe and at our university," said Banks. 

A British-based engineering firm fell victim when an employee was convinced to transfer approximately $25 million after joining what appeared to be a legitimate video call with senior leaders. In reality, the call used deepfake video and audio to impersonate company executives.

Last fall, a University of Arizona employee reported a fraudulent email posing as a dean's office message and requesting urgent assistance. The Information Security Office handles daily reports on messages like these, which initiate contact and often escalate to requests for sensitive information, resulting in real financial losses for employees or the release of sensitive university data.

Image

Our strongest defense

"While the university has strong security tools and protocols in place, staying informed about how scams are evolving and practicing a few simple habits can go a long way to protect yourself," said Banks. 

The Information Security Office recommends following three easy steps to avoid scams.

1. Pause for 30 seconds before responding to an urgent or unexpected request to consider what's being asked, why it's urgent, and the risk if it isn't legitimate. Even a brief pause can help surface warning signs that are easy to miss during a busy day.
2. Confirm the legitimacy of a request by calling the requestor, sending a message through a secure internal channel, like Microsoft Teams, or checking an official website. Do not rely on contact details provided in a suspicious message.
3. Protect your accounts and devices by enabling multi-factor authentication, installing software updates promptly and reporting suspicious emails by forwarding them as an attachment to phish@arizona.edu.

"We encourage faculty, staff and students to make ‘pause, confirm and protect' a habit, as we believe it's one of the most effective ways to help keep our campus secure," said Banks. 

Information and resources 

Learn more about Cybersecurity in the age of Artificial Intelligence.

Stay alert and informed about the latest university-reported phishing scams by visiting the Information Security Office website and the Phishing Alerts webpage.