FBI launches new email security campaign
Republished on December 21 with a new cybersecurity report on predicted AI threats for 2025, reflecting the latest FBI warnings.
‘Tis the season to be worried – at least when it comes to the alarming increase in attacks against Gmail, Outlook, Apple Mail and other email users. So, little surprise that the FBI has launched a new campaign warning email users how to Rest assured, the only trickster you should see this holiday season, says the agency, is Naughty Elf.
“Fraudsters,” the FBI warns, “often offer too-good-to-be-true deals through phishing emails or advertisements. Such schemes may offer branded merchandise at extremely low prices, offer gift cards as an incentive, or offer products at a good price, but the product you receive is different from the one ordered.”
Their advice boils down to three key things to check with every unsolicited email that arrives in your inbox before you click into trouble: Check the sender’s email address; check any URL before clicking or safely before engaging; and check the spelling and grammar of the email itself, as well as the URL.
We have seen an increase phishing and fraudulent web domains this holiday season, with all threats on the rise. With the help of AIit is now easier for attackers to create convincing emails and websites, mimic logos and other product images, even polish their copy to make it more persuasive and persuasive with fewer mistakes.
The best advice remains to ignore marketing messages – especially when research into the holiday season suggests that most of these are now either scams, scams or worse. If you see an offer you like, navigate to it by going directly to the website or using a search engine. Although you also have to watch out for SEO poisoning. It has become a more dangerous online world than ever, and you really need to be careful.
All that said, the FBI’s advice on phishing attacks has not changed:
- “Remember that companies generally do not contact you to ask for your username or password.
- Do not click on anything in an unsolicited email or text message. Look up the company’s phone number on your own (don’t use the one provided by a potential scammer) and call the company to ask if the request is legitimate.
- Carefully examine the email address, web address and spelling used in all correspondence. Fraudsters use small differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Set up two-factor authentication (or multi-factor authentication) on all accounts that allow it, and never disable it.
- Be careful about what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members and your birthday, you can give a fraudster all the information they need to guess your password or answer your security questions.”
Google’s Gmail team has just issued its own advisory, warning that “since mid-November, we’ve seen a massive increase in email traffic compared to previous months, making protecting inboxes even more of a challenge than normal.” The team says it “blocks more than 99.9% of spam, phishing and malware in Gmail” for the platform’s more than 2.5 billion users. While security has improved, the company has issued its own advice to users:
- “Gonna slow down. Scams are often designed to create a sense of urgency and often use terms like “urgent, immediate, disable, unauthorized, etc.” Take time to ask questions and think things through.
- Point control. Do your research to double-check the details of an email. Does what it says make sense? Can you validate the sender’s email address?
- Stop! Do not send. No reputable person or agency will ever demand payment or your personal information on the spot.
- Report it. If you see something suspicious, mark it as spam. You’ll make your inbox cleaner and help billions of others too.”
With perfect timing, one such email attack made its own headlines yesterday, with Daily Dot reports that “a tech expert is warning his followers to be on the lookout for the latest Apple email scam.” Originally published on TikTokScott Polderman warns other users that “the reason this works so well for hackers is that it catches you off guard. And unfortunately, it works really well with those who are less tech-savvy.” The last point is critical – while those reading this article may be knowledgeable about such attacks, in reality most users are not and remain vulnerable.
In his TikTok video, Polderman shows an email purporting to be from Apple with instructions on how to keep your account. safe and secure. The format of the email is similar to an Apple original, and it appears to be the type of email users might receive to check their settings. The email even includes details on how to create a legacy contact after death, so that someone can then access your account. Polderman notes that even the fine print at the bottom of the email “is basically verbatim what you would see on Apple’s website.”
But just as the FBI advises, you can quickly check the actual email sender. “This tells me it’s not from Apple.com.” This is always the first thing to check. Click on the name, which is probably all you’ll see in your email app and is easy to mimic. But the underlying full email address is the story.
Fraudsters are smart and will come up with a form of words that may be an email address from a genuine company, but it will be complex and not from the genuine domain. Although it is possible to emulate even this, it is usually not done. Most of the mass of phishing attacks can be detected with this simple check. Never treat any email as genuine until you’ve done at least that.
But beware – even though this is a simple phishing scam, more sophisticated attacks find ways around this. It even includes hijacking real email addressesso that emails are sent from actual addresses that make the scam much more difficult to detect. But if the email claims to be from a global brand like Apple or Microsoft or Meta, their basic email domain will not have been hijacked.
I did a spot check of the last 25 phishing emails I had received, and all failed this test, although the copy and images are now very difficult to detect according to the FBI’s AI alert. Fraudsters are getting better at tricking email users, as much is as clear as the Apple logo and typography in Polderman’s video. And AI is critical to making everything look and feel more real. You probably cannot take any individual test. And so the advice not to click on links or open attachments in any of your emails remains.
But while the pilot light is still there, all indications for 2025 are that threats will become more sophisticated as AI tools continue to improve. In its recently published Cybersecurity Forecasts for 2025, McAfee focuses on this risk, highlighting “the emerging threats consumers may face as cybercriminals leverage advanced AI technologies. From hyper-realistic deepfakes and live video scams to AI-powered phishing, smishing and malware, these predictions reveals how cybercriminals are using AI-powered tools to create increasingly sophisticated and personalized cyber fraud.”
The security company lists its predictions with AI joined. “As AI continues to mature and become increasingly accessible,” warns Abhishek Karnik, the company’s head of threat research, “cybercriminals are using it to create scams that are more convincing, personalized and harder to detect. From deepfakes that blur the line between genuine and fake to AI-powered text messages, email, social and live video fraud, the risks to online trust and security have never been greater.”
Some of the report’s AI highlights are detailed below – but in full Report is worth reading. Keeping these threats in mind can only be helpful as we move into 2025.
- The use of AI to develop “highly realistic fake videos or audio recordings that pretend to be authentic content from real people,” echoing the FBI’s same warning. “As deepfake technology becomes more accessible and affordable,” says McAfee, “even people with no prior experience can produce compelling content. With easy-to-use AI tools and tutorials available, it’s easier than ever for fraudsters to manipulate trust and deceive people. “
- Again, echoing the FBI’s own warnings, McAfee also points to AI “giving cybercriminals the ability to easily create more personalized and persuasive emails and messages that appear to come from trusted sources, such as banks, employers or even with family members.They can create these scams quickly and with precision, making them harder to detect and increasing their success rate.As AI tools become more available, these types of attacks are expected to grow in sophistication and frequencies.”
- And in addition to visual tricks, AI is also driving the threat of malware, with bad actors “using AI-powered tools to create smarter, more adaptive malware that can increase its effectiveness. For example, advanced tools like Optical Character Recognition (OCR) technology can ) – which scan images or documents and convert the text in them into editable and searchable digital text – now extract sensitive information, such as cryptocurrency wallet keys, directly from screenshots or documents As AI capabilities grow, so does the sophistication of these threats, making them more effective and dangerous.”
The good news is that AI can be used by the good guys too, and we’ve now seen development releases from Microsoft and Google that show that AI is deployed in Edge and Chrome to use their own tools to detect threats that people are unlikely to find on their own, without help.
An example would be checking a website against the brand it purports to represent, or looking for signals that indicate a threat, such as asking for certain types of financial or personally sensitive information.
What’s still missing is the same kind of detection being fully and correctly applied to email on the device. While billions of emails are detected and blocked by platforms, too many still get through. It’s a constant source of surprise how obvious phishing emails with obvious control messages make it to an inbox, a lot of legitimate emails still get caught by mistake. AI will fix all of this – and it can’t happen soon enough. Recent advances in on-device AI mean this can be done while preserving user privacy.
All that said, the FBI’s simplest message is still the best: “If it seems too good to be true, it is.”
