Skip to main content

Disinformation Security

Use of disinformation by criminals is nothing new. In 1920, a scammer from Ghana sent out a series of letters representing himself as having magical powers and providing those services to the recipient for a fee (Ellis, 2016). Since that time scammers have used technology from the written letter to the telephone and finally the Internet to perform disinformation campaigns at scale against vulnerable targets.

Disinformation scams against individuals small businesses tend to rely on scale to make contact with vulnerable targets and then a deeply hands-on approach once someone appears to be falling for it. For example, a "pig butchering" scam will involve a scammer blindly sending text messages to thousands of phone numbers pretending to be a friendly stranger, then spend weeks or months conversing with the one or two targets who respond gaining their trust and convincing them to send money to the scammer under the guise of investments (Podkul, 2022).

A personal version of a scam using "deep fake" or AI generated voices is the "Grandparent Scam" where a caller uses faked numbers to pretend to be a grandchild of the victim requesting for money for bail or to deal with a bad accident (Federal Communications Commission, 2024). Nothing about these disinformation telephone scams are new. They predate AI deep fake technology and the general availability of Bitcoin by decades. An article from 2015 noted that "scammers typically request the money by wire transfer" and early versions of the scam used intentionally bad or static-filled connections to disguise the voice of the caller without using advanced technology (FOX 6 Now, 2015).

A business version of this is colloquially known as the "Mr. Patel" scam where scammers phone the front desk of hotels claiming to be the owner of the hotel using their real name if its known, often substituting Mr. Patel if not, and convince the victim to remove money from the register and send via Bitcoin ATM under the guise of an urgent contractor payment (rickgene, 2021). While AI can be used in this case, often it is an experienced scammer creating a sense of artificial urgency. Scammers will also impersonate government agencies though official looking mailed or emailed letters (Small, 2024).

A small business will have relatively few concerns of targeted disinformation campaigns against their business, but could still be a victim. Even small businesses have access to computer resources and bank accounts that can be valuable to scammers, a successful phishing attack could leverage those resources and prevent the business from operating. Mitigation could be a part of an educational campaign in addition to a specific set of tools used to secure credentials such as password managers and multi-factor authentication.

Consider how you might help a business address the following threats:

  • A bad actor creates a fake business profile in their name and direct business away from them, causing new customer acquisition to quickly drop. How would they know it exists and what processes could be put in place to deal with it quickly?

  • A competitor or unhappy customer creates a massive amount of fake reviews and ratings on popular sites to drive down business. What plan could the company have in place to mitigate this issue and address this?

  • A criminal pretends to be a customer out of state who "accidentally" sends a check in advance for twice the quoted job, and asks for the balance to be returned to a different address. What sort of education could you provide to the business office to make them aware of the potential scams?

  • A criminal pretends to be a coworker or a manager via telephone or email and convinces an employee to share banking credentials or download software to a business workstation. How could training prevent something like this from happening?

  • An unhappy customer, competitor, or employee creates manufactured evidence of poor workmanship that does not reflect real life or duplicate the voice of an employee or manager being abusive or racist on a telephone call such as happened to a Baltimore County principal last year (Li, 2024). How could the company plan investigate this issue and respond to this fake evidence internally and to the public?

References

Federal Communications Commission. (2024, February 1). “Grandparent” scams get more sophisticated. https://www.fcc.gov/grandparent-scams-get-more-sophisticated

FOX 6 Now Milwaukee. (2015, March 10). “This is a scam we hear about on a regular basis:" BBB warns about scam targeting older people. FOX6 News Milwaukee. https://www.fox6now.com/news/this-is-a-scam-we-hear-about-on-a-regular-basis-bbb-warns-about-scam-targeting-older-people

Ellis, S. (2016, June 11). The origins of Nigeria’s notorious 419 scams. Newsweek. https://www.newsweek.com/origins-nigerias-notorious-419-scams-456701

Li, D. (2024, April 26). Maryland educator accused of using AI to frame the school’s principal. NBC News. https://www.nbcnews.com/news/us-news/teacher-arrested-ai-generated-racist-rant-maryland-school-principal-rcna149345

Podkul, C. (2022, September 20). How pig butchering scams work. ProPublica. https://www.propublica.org/article/whats-a-pig-butchering-scam-heres-how-to-avoid-falling-victim-to-one

rickgene. (2021, August 10). A guy at my hotel fell for the obvious “Mr. Patel” scam [Online forum post]. Reddit. Retrieved January 11, 2025, from https://www.reddit.com/r/TalesFromTheFrontDesk/comments/p29oar/a_guy_at_my_hotel_fell_for_the_obvious_mr_patel/

Small, B. (2024, February 13). Government impersonators mail fake notices to business owners. Consumer Advice. Retrieved January 11, 2025, from https://consumer.ftc.gov/consumer-alerts/2024/02/government-impersonators-mail-fake-notices-business-owners

Last updated on by Rob Carlson