In 2022 I wrote about the email scam I preferred. I’d rather get an email about a surprise inheritance, than a threat of fake videos.
Both emails were easy to identify as scams. But now it’s more difficult to be sure about any emails. Your inbox has become a war zone.
The bad emails got better
At this stage, a small percentage of phishing emails are AI-generated. But that number is going to grow and grow. Because AI is a dream come true for hackers:
-
No more broken English or weird phrasing. AI writes like a true professional.
-
That perfect look and feel. Everything looks exactly right: from the logo to the font.
-
Clever links that spoof real domains. No more bizarre domains names, or email addresses like jacqui.coosner@stxuuqkr.digisyncfusion.uk.com. (I didn’t make that last one up – a hacker did.)
-
Crafted just for you. AI can scrape social media, public records, and breached data. It’s got your name and your ID number. It knows about your shopping habits. No more emails addressed to “Dear Customer”.
That kind of personalisation used to need real effort. And why would a hacker spend that much effort on me? But now AI can generate thousands of unique phishing emails in minutes. And that’s without the ability to fake audio and video and impersonate people.
The good emails got worse
To make matters worse, some companies send out legitimate emails that look like spam. Government organisations are the worst culprits here.
Let me name and shame a few:
-
I updated some company information on the Reserve Bank Supplier system. It sent an automatic notification with an HTML attachment to open. How many times have you been told to never open HTML attachments? HTML smuggling is an old, but popular, way to scam people.
-
A municipality sent out a screenshot as an RFQ, and CC’ed multiple vendors. Very unprofessional. But also a dead giveaway: only a careless corporate employee would use CC instead of BCC.
-
I logged in to the CIPC (Companies and Intellectual Property Commission) to request a document. It was sent to “Dear Customer”. They are not the only culprits. The Compensation Fund send invoices addressed to “Dear Valued Customer”. Tshwane Municipality does the same, but it doesn’t consider us valued customers.
Apart from making it harder to identify an email as valid, this is a sign of lazy, lazy automation. Emails like this scream out: “We didn’t test this.” It’s not that difficult to personalise the email.
I’m not even going to mention some dreadful spelling, grammer and punctuation. There’s no excuse for that.
This week I received a call on behalf of my sister, who lives in the UK. The caller is from a company that claims to represent Old Mutual. I verified the company exists, and the number is correct. The caller had some personal details. I asked for an email, and got one with the subject line: “Unclaimed Benefit”. Now I definitely don’t trust them.
Perhaps this is deliberate inbox inversion. Perhaps sloppy emails are a sign that they are from real South African organisations.
I’d love to hear your views.