| ▲ | offsign 7 hours ago |
| Sounds like AI is just greasing the wheels of a long established 'grandparent scam'... goes something like this: 1) voice one: young adult calls, sobbing 2) grandparent inquires with a name... "Ben, is that you?" 3) voice one: "Yes grandma, it's me, Ben... I'm in trouble, please don't tell mom 4) voice two: "Hello, I'm attorney..." My grandmother fell victim to this almost 20 years ago, which only stopped when Western Union refused to let her continue sending wires... she was forced to call her daughter (at which point they just called my brother.) Our takeaway (at the time)... the voice doesn't even need to be terribly accurate, since the original interaction is brief / somewhat inaudible over the tears. Typically just requires an older vulnerable adult, a lucky strike with the initial setup (e.g. grandparent actually has a grandkid), and a lot of high pressure / duress salesmanship. |
|
| ▲ | pavel_lishin 3 hours ago | parent | next [-] |
| It's not "just" greasing the wheels, because previously each call required a human being to spend the equivalent amount of time on the phone with a victim, interacting with them - you couldn't just play a cassette tape at them, you know? And it likely requires working with other people, your "employees", who are both a liability, and a cost. With AI, you can make a thousand calls in parallel, for significantly cheaper, out of your own basement. This greases the wheels of voice fraud like a gatling gun greases the wheels of hitting a guy with a rock. |
|
| ▲ | glaslong 5 hours ago | parent | prev | next [-] |
| "Greasing the wheels" seems right in principle, but possibly putting the accelerant factor a bit... mildly. Like going from burning the turkey in the oven, to deep frying and burning your whole house down. > cybercrime losses across the United States rose 26 per cent in a single year > The FBI was candid that even these figures understate the problem. AI attribution in the report reflects only what victims recognised and reported, and most victims of a cloned-voice call never learn that a machine was involved at all. > INTERPOL found that AI-enhanced fraud is roughly four and a half times more profitable than its traditional equivalent, and that so-called agentic AI systems can now autonomously plan and execute entire fraud campaigns, from reconnaissance through to the ransom demand. |
| |
| ▲ | Forgeties79 3 hours ago | parent [-] | | To build on your point, I have this comment I wrote months ago that I end up pasting (or pasting a bit altered) probably every week: “Before LLM’s there was_____” I see this whenever an LLM’s impact is assessed. We know. The issue is scale and the ability for smaller and smaller groups (down to individuals) to execute at scale. LLM’s are pouring massive amount of gasoline on existing issues and people just keep shrugging.
Fake news always existed. Now one dude in India can flood multiple sock puppet media accounts with right wing content/images (actual example) at a scale previously unimaginable - or in this case, can target even more vulnerable elderly populations far more effectively. People could always die crossing a street. Still, cars changed the discussion about pedestrian safety pretty materially. People didn’t simply throw up their hands and go “people have always been able to die crossing the street.” | | |
| ▲ | kraquepype 20 minutes ago | parent [-] | | Don't worry, it's all worth it so long as we can get braindead summaries we didn't ask for, pretend to be the 10x engineer we always wanted to be, and generate fake videos for internet points! (sarcastic rant over) Most of the benefits of AI are being overshadowed by the lack of regulation and reckless abandon at which they are being developed. Given the current trajectory I don't know if that's going to change before it's too late. |
|
|
|
| ▲ | Foobar8568 6 hours ago | parent | prev | next [-] |
| I told my parents that I will never ask for money, doesn't matter the situation, even with live video, it's trivial to generate live audio and video nowadays. I hope they got the message. |
| |
| ▲ | abirch 6 hours ago | parent | next [-] | | Fortunately for me, my parents wouldn't be able to get the live video working. | |
| ▲ | saidnooneever 6 hours ago | parent | prev | next [-] | | i agreed key phrases. id recommend it. something unrelated to the family and totally arbitrary, agreedupon only verbally. (or write it down for them if they are old and memory is an issue. you can remind them to read your note out loud.. easy). this way, you do not footgun yourself in the event you'd ever need to ask something. Money isnt the only thing they can ask, and no one (i think) has a glass orb to tell their future and know for certain such a call would never happen. its easy to think it wont happen to you, i think that is most peoples' sentiment until it does. (having a need for help from family that is) | | |
| ▲ | mikepurvis 6 hours ago | parent | next [-] | | Key phrases make sense to put in place, but another easy safeguard is: "Before you send anything to anyone, ever, call them back. Doesn't matter if it's me, the bank, a lawyer, whatever... tell them 'hang on I have another call coming in, let me just call you back in a few minutes, okay?'" | | |
| ▲ | vidarh 5 hours ago | parent | next [-] | | I overheard a cab driver being scammed by someone claiming to be HMRC (UK version of the IRS), and when he asked to call them back they managed to convince him to call them back on Viber, and he was about to when I intervened and pointed out to him that 1) what I'd overheard was blatantly a scam, 2) if he was unsure, to go to their official website and find their number... If you're going to get people to call you back, it has the problem of ensuring that they call you back on your real number - giving reasons why they have to call you back on some other number is way too easy ("I've lost my phone", "my phone is at home", and so on) | | |
| ▲ | spiddy 3 hours ago | parent [-] | | Also, make sure to use official website, not just Google search, or any chat agent question, the SEO are sometimes poisoned with scam phone numbers. I consider myself always to be wary of scams and my trust-level is zero when they call me, but I recently almost got myself hooked on an airline support call. I google searched the support number and trusted the AI summary on top and called it, they asked me my reservation number and I happily provided. With the reservation number they have public access to the entire reservation details, they knew my name, my flight, my co-passenger details everything. I called to do a reservation for my pet which is normally not done online. their problem, they got greedy and asked me more than pet travel, iirc they said there was a problem with one of my flights, it wasn't paid and I had to repay on the call. If they just followed along instead of going by the script I would have paid the pet travel amount. |
| |
| ▲ | ceejayoz 6 hours ago | parent | prev | next [-] | | "They say they're going to cut a finger off every time you hang up." | | | |
| ▲ | xp84 6 hours ago | parent | prev [-] | | Not a thorough safeguard, if scammers have half a brain cell they can provision a VOIP number for such a request. They’re nothing if not accommodating. | | |
| ▲ | wlesieutre 4 hours ago | parent | next [-] | | You're supposed to call them back on a number you know is really that person/company. This ensures the person you're talking to is actually from your bank and not just calling from a random number and saying "I'm from your bank," or even spoofing a real number of your bank or a family member, because when you call back it will go to the real person and not the impostor. This is a very useful precaution for banks, and for or calls that come from a family member's real phone number. But scammers will just open with "I'm in trouble and my phone died" or "I'm in jail calling from a pay phone" and calling back won't do anything to help with that. | | |
| ▲ | xp84 2 hours ago | parent [-] | | Yes, that's my point. There will be a "reason" why the callback needs to be another number. Also, given at least in America, our cell phone providers STILL haven't fully blocked caller ID spoofing (last I checked, they just add some tiny icon in the rare case that the CID is trustable, and I'd bet 99.9% of people don't even know that exists!) they can spoof the initial call as your number and many targets will probably mistakenly think the CID match is good enough to just skip it, especially in this "very urgent situation" with you being held at knifepoint by the corrupt third-world cops or whatever. |
| |
| ▲ | coldtea 17 minutes ago | parent | prev [-] | | You call them back on the actual number - e.g. the official number of the bank, or the contact number of your friend, or the phone of your kid, etc, that you know or can find independently. Not any old random number they give you. |
|
| |
| ▲ | xp84 6 hours ago | parent | prev [-] | | “But, Ben, you didn’t ask me for money when you called last night at 2AM. You asked for $4,000 in Fortnite gift cards to be released from Mexican prison. Thankfully 7-11 had them and was open!” |
| |
| ▲ | root-parent 5 hours ago | parent | prev | next [-] | | The best things to stop these AI voice schemes, is to agree on a family password. The cloned AI voice will not known it. | | |
| ▲ | ferngodfather 5 hours ago | parent [-] | | That's a great idea. What do you use as your family password? | | |
| ▲ | kibwen 4 hours ago | parent | next [-] | | Nice try, but our password is the same as the password to my HN account, and for security HN automatically censors your password if you type it in a comment. See: ******* | | | |
| ▲ | root-parent 4 hours ago | parent | prev [-] | | Nice try. | | |
|
| |
| ▲ | stronglikedan 5 hours ago | parent | prev | next [-] | | I recently did the same, and I, too, hope they got the message. We agreed that there is nothing that needs to be acted upon immediately, and that anything questionable would be discussed with the whole family first. | |
| ▲ | chrisjj 6 hours ago | parent | prev [-] | | They might not believe it - for good reason. |
|
|
| ▲ | trhaynes 4 hours ago | parent | prev | next [-] |
| YC S27's ScamMyGrandparents.com lets you simulate these against your own grandparents, so you can shame and educate them when they naively wire your college trust fund to a safe account. You are able to refund either the whole amount, or keep some for yourself since they won't know any better. The cost of service is variable depending on how many homes they own. |
| |
| ▲ | ikesau 4 hours ago | parent | next [-] | | You got me excited, because I've wanted something like this for a while. Obviously without the actual extortion, but everything up to that point. White hat scamming, to teach our parents what it's actually like before it happens. | |
| ▲ | exolymph an hour ago | parent | prev [-] | | I read this comment and was like "but what is their business model?" before I realized |
|
|
| ▲ | psygn89 6 hours ago | parent | prev | next [-] |
| I remember my JROTC instructor also running into that and how she said afterwards they have a secret phrase between them two as a way of verifying it's truly them. |
| |
| ▲ | throwaway89201 6 hours ago | parent [-] | | It's very, very hard for untrained people to be strict about verifying any secret phrase. The attacker can make all kinds of excuses, while creating urgency, and many people quickly abandon verifying the phrase. A scene in One Battle After Another comes to mind. | | |
| ▲ | Karliss 4 hours ago | parent | next [-] | | Scammers can also trick the victim into reversing the roles and telling password to scammer. Even banks ocassionaly get this wrong. I have had my bank call me and ask me to read numbers from number card. If a trained bank employee following a script designed by (hopefully) an expert cant get it right, the chance of elderly relative spotting mistakes in protocol is close to 0. | | |
| ▲ | thwarted 4 hours ago | parent [-] | | The bank is trying to authenticate you, while you're trying to authenticate the bank. The bank calls and tries to authenticate themselves to the callee by saying "is your birthday such and such?", they're risking sharing PII with an unauthorized third-party. The solutions are a non-trivial amount of effort that no one really wants to put up with, unfortunately. I used to have a residential mortgage with two other people and my name was stuffed into some ancillary field as a co-holder and they refused to give me any information or transact over the phone. I eventually figured out I needed to tell them to look in some extended info field, and the whole endeavor was annoying but ultimately I was appreciative of the strictness (that the entire mortgage data model—at the time (25 years ago), I don't know what it's like today—seems to assume that it will only ever be two people of opposite gender who are married will be on a mortgage was much more disappointing. The other two people were assumed to be married and the woman was seemingly by default listed as the non-primary). | | |
| ▲ | FireBeyond 43 minutes ago | parent [-] | | Hah, I had a background check company for a previous employer send me an email saying: "Hi Firebeyond, we're doing a background check. Can you confirm the following info you entered into our portal?" then proceeds to list full SSN, drivers license, DOB, etc., etc., etc. "... and can you also confirm that this is the correct email address we have on file?" All the while they had reached out by FB Messenger to my partner (not that she was in any of the info I submitted, and this was just a standard BG check, not a security clearance) to ask her if she knew me... Luckily, my new employer was as horrified as I was, apologized profusely, and fired the background check company. |
|
| |
| ▲ | ceejayoz 6 hours ago | parent | prev [-] | | At some point, the scam evolves to a live video of a gagged loved one being tortured. "Stop wasting my time or they lose another finger." People aren't prepared for this shit. | | |
| ▲ | masfuerte 4 hours ago | parent | next [-] | | I know lots of old people who have instant access to quite significant sums of money and many of them just don't need it. I don't need it. I'd be happy to opt-in to, say, a three day wait period on new payment recipients, but my bank doesn't offer that. | | |
| ▲ | Symbiote 2 hours ago | parent [-] | | One of my banks as well as my investment broker have a three day wait to increase the maximum transaction limit. I have them both set at about €150. I think for the bank I can go to a branch to avoid the limit, but that will be with the full fraud suspicion of the teller. |
| |
| ▲ | xp84 5 hours ago | parent | prev | next [-] | | Oh, man. That does seem likely. What a world. I wonder if eventually there won’t be a human in the loop, just a model trained to make money with a strategy like that, automatedly selecting victims and a person to be impersonated for each. Pre-render a few videos, place multiple calls in parallel. Basically a turnkey Docker container that takes a bitcoin address as a parameter and fills it with stolen money. | | |
| ▲ | Martinussen 5 hours ago | parent | next [-] | | Just add video and a better voip endpoint to existing setups and you're already there. A lot of scams can be (and are) run by a small handful of people now. Phishing at scale with stuff like fake tracking links etc. is already fully automated by people in a ton of ways and can definitely handle some back-and-forth over sms/whatsapp/whatever. | |
| ▲ | trollbridge 5 hours ago | parent | prev [-] | | Long-term, it would mean that videos like that no longer function as a proof of life nor as a credible threat. | | |
| ▲ | vkou 3 hours ago | parent [-] | | That only poisons the pool for actual kidnappers, not scammers. |
|
| |
| ▲ | KludgeShySir 4 hours ago | parent | prev [-] | | "Are you prepared to bring them down to a total of 11 fingers?!?" |
|
|
|
|
| ▲ | saidnooneever 6 hours ago | parent | prev [-] |
| lucky strike is the key here they can do this with VOIP really easily to massive amounts of numbers. its staggering amounts if you look at the traffic really. worst is if they proxy that via residential proxy services which often come from end-user / individuals phones so the traffic is hard to detect for carriers etc. since it looks like a regular VOIP app connection. |