A code is relayed to the attacker’s Telegram bot
AI BOTS are stealing victims’ log-ins by tricking them with fake information and spoofing banks.
But there are simple ways you can protect yourself from these evil scammers.
Two-factor authentication (2FA) which provide one-time passwords are usually regarded as a safe way to protect against phishing and theft.
But, they are “not a magic bullet,” warned anti-virus experts Kaspersky.
“Even with 2FA, personal accounts remain vulnerable to one-time password bots,” it added.
“Sites usually send a verification code in the form of a text, email, push notification, instant message, or even a voice call.
“The code can be generated in a special app directly on the user’s device, although, sadly, few people bother to install and configure an authenticator app.”
ONE-TIME PASSWORD BOTS
These AI bots pretend to be legitimate organizations including banks to make their victim reveal a one-time password (OTP).
Firstly, they steal the victim’s login credentials — including a password.
The AI bot then calls the unsuspecting victim to get their OTP.
The crafty way this is achieved is with a pre-recorded social engineering script.
“The unsuspecting victim keys in the code right there on their phone during the call; the code is relayed to the attacker’s Telegram bot [and] the scammer gains access to the victim’s account,” said Kaspersky.
HOW AI BOTS START
Fraudsters launch their AI bot scams by initially buying a subscription in crypto which costs about $420 a week.
The bots are given the intended victim’s name, number, and banking details.
In a scary twist, the scammers can activate a special spoofing function to convince people into revealing their secret OTP.
“They can also customize the language, and even the voice of the bot,” added Kaspersky.
That’s because all the fake voices are AI-generated.
“The victim needs to believe that the call is legitimate, so, before dialing the number, some OTP bots can send a text message warning about the upcoming call,” the experts added.
Thus the victim assumes they have received a genuine text from their bank alerting them to a pending call.
“During a call, some bots may request not only an OTP, but other data as well, such as bank card number and expiry date, security code or PIN, date of birth, document details, and so on,” said Kaspersky.
“While OTP bots are effective tools for bypassing 2FA, they’re utterly useless without the victim’s personal data.
“To gain account access, attackers need at least the victim’s login, phone number and password.
“Scammers take the opportunity to extract as much personal information as possible, pressuring the user to ‘confirm their credentials’.”
HOW TO STOP BECOMING AN AI BOT VICTIM
If you suddenly receive a one-time password, be cautious as someone might be trying to hack you.
If an unsolicited messages containing login codes pops up, “don’t click the confirmation button if the message is in the ‘yes/no’ form, don’t log in anywhere, and don’t share any received codes with anyone,” said Kaspersky.
Create strong and unique passwords for all your accounts.
“Scammers can’t attack you with OTP bots unless they know your password, so generate complex passwords and store them securely,” it said.
“If you receive a message with a link to enter personal data or an OTP, double-check the URL.
“A favorite trick of scammers is to direct you to a phishing site by substituting a couple of characters in the address bar.”
Just as importantly, don’t ever share your one-time passwords with anyone – and never enter them on your phone keypad during a call.