Curious Conversations, a Research Podcast

(music)

Travis

During the entire time I was in college, I can only remember receiving one email from a prince in a foreign land asking me to help him move money. I was quite flattered, and to be honest, if I had more gift cards for long-distance phone calls, it very well may have worked. Today it seems I get phone calls, texts, or emails for similar types of scams almost every single day and sometimes numerous times in a single day. So I'm curious what the current landscape looks like when it comes to these types of scams and how is it being influenced by emerging technologies like artificial intelligence?

Well thankfully Virginia Tech's Kaitlin Parti is an expert in this very subject and was kind enough to answer all these questions and more. Caitlin is an assistant professor in the Department of Sociology in the College of Liberal Arts and Human Sciences at Virginia Tech. Her research focuses on both the offender and victim sides of cybercrime, sexual violence, and online manipulation scams. She is also a certified mediator and holds a European certification in cybercrime and electronic evidence. So Caitlin and I talked all about how these emerging technologies are helping turbocharge scam calls, and she explained to me what this term social engineering scams actually means and how it really preys on some of our natural interactions with one another. She also shared about a project that she is working on with a retirement community in Blacksburg to help empower elderly folks to be better prepared when it comes to facing these scams. And she shared some great general tips that both you and I can put into practice today to help ensure that we don't get sucked in by that same prince that I interacted with in college. Though if that was real and you are listening, I apologize for dropping the ball there. I'm Travis Williams and this is Virginia Tech's Curious Conversations.

(music)

Travis

Well, I want to talk to you about emerging social engineering scams, but I think maybe a good place to start that conversation is I know there's a lot of artificial intelligence. There's a lot of other emerging technologies that are out there. And I'm just curious, what does the current landscape look like when it comes to scammers and scam calls, scam emails, just the whole breadth of scammers.

Katalin

So the biggest shift is not that scams are brand new, but that they are now faster, cheaper, more personalized and more believable thanks to AI. AI helps scammers write more polished messages, intimate voices, create fake identities and scale outreach across emails, text, social media, and even video. I don't know how interested you are in numbers. This is what we usually do to demonstrate the scale of AI-related scams. So the FTC, the Federal Trade Commission, reported more than $12.5 billion in fraud losses, according to the latest report. The latest report comes from a couple of years ago, 2024. I will have the opportunity to look at 2025 ⁓ in mid-April because usually that is when the latest report comes up in mid-April. ⁓ when I'm talking about loss and the scale of scams, I'm talking about the latest report that means 2024. So according to this report, people lost over $3 billion to scams. So that started online.

⁓ And the ⁓ IC3, the Internet Crime Complain Center, reports that Internet crime losses are even higher. The losses are over $16 billion, fishing, spoofing across the most commonly reported crimes. So ⁓ in summary AI is not replacing classic scams. is so to say, turbo charging them. Impersonation scams remain central, but now the fake bank representative, grandchild, employer or government official can sound more convincing because of AI and arrives through multiple channels at once. scams are also surging. The FTC reports ⁓ show that $470 million is reported in losses. Tax scams in 2024, more than five times the amount reported just five years ago. So as a segue to typical scams today, text-related messaging. So court-issued, maybe even you got this text. There is a court-issued traffic violation notice going on that uses a QR code that you have to scan and pay your dues. If you don't do it, the court will issue another violation notice with an even bigger amount. And so we call it queeshing, scam using QR code. so what is it about and what tactics it applies? As I said, it comes to your phone as a text message. It says, notice of hearing from a county. There is highly official looking, it uses a QR code to resolve the issue. At first glance, it looks real. Now, let me tell you that for most people, it doesn't bother scammers that it looks real because they don't need to fool everyone. They just need to fool enough people. So even if...1 % of people getting these text messages react positively, it's a payday for scammers. The tactics they apply here, and this is a highly official looking message, it looks like a court document with the stamp even. So the tactics they apply, authority, it looks like it came from a real court. They apply urgency. You have a hearing date. It's time sensitive. It also puts fear to your mind. You are in legal trouble. You have to pay fines. ⁓ And then it offers a very similar and seemingly viable solution to resolve it. Scan the QR code and resolve it right now if you don't want to add a court hearing. So they offer you a simple and easy way to take care of this. Just make the payment. This kind of text message based, text messages, a platform of the scam is exploding right now.

Travis

I want to ask you some more about some best practices because I want to be able to avoid all these things. Luckily, I don't have any, I don't think that I have any outstanding parking tickets or speeding tickets. So I don't have that happening right now in my life. But I'm curious, just as a follow-up question, you mentioned that some of these have evolved to maybe approaching people on multiple platforms. Is that something that we're seeing a lot? Like maybe the same scam attacking me via text, but also via email?

Katalin

Could be, but according to my experiences, the same scammers attack you either. they are either using the phone or they're using a phishing email or they're using social media or they're using pop-up windows. So it's not the same scammers unless it's a real big business. Okay.

Travis

Okay. They're just, it's a lot of different people coming at me from a of different places. The things that you just described, would those be considered social engineering scams? Or I guess maybe a better question is how would we define social engineering scams?

Katalin

Yeah, great question. So social engineering scams work by manipulating trust, fear, urgency or hope and respect for authority rather than using just technical tools or code to...hack a device. The scanner poses as someone credible, creates an emotional or time sensitive situation and pushes the target to act before verifying. this is the Cybersecurity and Infrastructure Security Agency that was established maybe 2018. And this is a government agency. It describes phishing as a form of social engineering. And the FBI reportedly warns that scammers use these tactics, urgency, isolation, and impersonation to get immediate compliance. They specifically anticipate that the human being, us, are the weakest link. So the basic sequence is usually they contact you and anticipate that you will provide some kind of answer.

It doesn't matter if you just say that, you get a text message. Hey, James, do you want to go out for dinner today? And it's enough if the targeted person replies, it's a wrong number. I'm not James. So this is already signals to the scammer that you are reachable. Maybe not immediately, but they, continue the conversation. You seem like a nice person. You seem like a nice person. Let me tell you about this great investment opportunity in crypto. So this is the foot in the door moment. So after they contact you, they use credibility. They establish credibility. I'm an authority. I'm an official figure, I am from your bank or I know how this great opportunity to invest works because I have done this. And then they play on your emotion. Please do it for me. You seems like a nice use. Or maybe they inside fear or anxiety, bad things will happen if you don't right now. And they offer you a very simple and doable action. So for example, click on that link and follow the instructions to pay. And then they extract money or data or useful information.

Travis

That was what I was going to ask you next is what are they trying to get? mean, seems like, I mean, I would assume that they're trying to get money all the time, but are there other things as well?

Katalin

Yeah, so at the most basic level scammers want money, but also they want access to your files, bank information, sensitive data, your private data, or all of them. Sometimes they want an immediate payout. Sometimes they want account credentials, social security numbers, banking details, or remote access so they can come back later. In other cases, they want to turn the victim into part of the scam itself, for example, as a money mule, compromised employee, or a repeat payer. Scammers are often not just stealing ones, they are trying to move a person along the pipeline. From a target, you become a victim and you can become a reusable asset. ⁓ That is how scams can escalate.

Travis

Yeah, that makes a lot of sense. I believe that some of your work is in studying populations that might be more vulnerable than other populations to this. I'm just curious what populations of folks are the most vulnerable to these types of scams?

Katalin

So unfortunately, we don't have a precise victim profile or risk profile for the victim. So you cannot put your finger on the truth. This is usually more complicated. There is no single naive victim. Different groups are vulnerable to different scam types. And sometimes you talk about older people, how older age groups are much more vulnerable for different reasons. But here is the finding from research. Older people, older adults often suffer the highest dollar losses. But at the same time, younger adults often report losing money more often but smaller amount more often than exposed to when exposed to fraud. So the FTC's data show that people between the ages of 20 and 29 report losing money in 44 % of fraud reports, much higher than older age groups. So the pattern is not older people get scammed and younger people don't, but rather Younger adults are frequently exposed, more frequently exposed and monetized, and older adults are often hit for more devastating amounts. Beyond age, the most vulnerable moments are usually when you go through some significant life transitions that function as emotional pressure. For example, you're going through grief, you're particularly lonely, you were involved in caregiving, you're an immigrant and you're just learning the culture and the clues, the signs, the rules. ⁓ You're seeking jobs, you're already stressed in these situations. You're online dating, you have health stress, financial strain, or just unfamiliarity with the digital systems. Scammers look for conditions that... reduce verification and increase urgency. And precisely in these situations, people are more overwhelmed and they have less brain capacity to realize what they are facing. Yeah, that makes a lot of sense to me, just, especially just the stresses of life. And when things kind of get crazy, you know, you don't have as much, like you said, brain capacity, you don't have as much time a lot of times either. So you might be more apt to just click on some stuff.

Travis

I know you've been doing some work with some folks at Warmheart Village, which is a retirement community here in Blacksburg in the New River Valley. And so I'm curious, what can you tell us about the work you've been doing there with that population to help them better prepare to defend themselves against scams?

Katalin

Thank you for this question, because now I have the opportunity to give thanks to our sponsors, which is the Whole Health Consortium at Virginia Tech. And so this is a multidisciplinary project. And I would emphasize that this project is not based on simply telling older adults to be more careful or conveying the information that they should know to avoid scams, but it's a community-based scam prevention effort together with sociology computer science and electrical and computer engineering that we do together. The project is called, it has an ⁓ acronym, Anti-Scam Conversational Helper for On-Core Resilience. And the key idea is that most scams prevention today happens too late after the fact, after the call, after the loss already happened.

And this project is really designed to address two major gaps in how we currently approach scam prevention. So first, we already have tools, but not in a moment when people need them the most. So right now, there are plenty of scam checking tools, websites, databases, even browser extensions but they all work after the fact. And you have to have access to the text in order to copy and paste to these platforms. But you have to stop, search and check. But scams, especially phone scams, we're talking about scam types that ⁓ target especially older individuals who have ⁓ high propensity to still answer phone calls, right? Doesn't work this way in phone calls. They are live fast and pressuring you to act immediately. So what is missing is a tool that can listen while you are on a call and help you in real time. And that's exactly what we are building, a smartphone-based language assistant. It ⁓ will be a large language or a small language model assistant that analyzes conversations as they happen.

real time. It detects tactics like urgency, authority or threats, and it gives immediate simple feedbacks. Pause, this sounds like a scam, and these are the clues. It explains why and in a way that builds trust and understanding. So ⁓ instead of expecting people to step out of the situation to verify, we bring verification into the situation. And the second gap, and we know it from earlier research, is that knowledge is not the problem, but the application of knowledge under pressure is. So one of our most important findings from past projects is that older adults know much. Sometimes they know even more about scams and digital fraud than younger age groups. So they already know they're at flags. They can tell you exactly what a scam looks like and what they should do. But in real scam situations, something else happens. The scammer creates a sense of imminent danger. Your account is compromised. Your grandchild is in trouble. And this triggers a stress response stress response, it's a very natural evolutionary reaction, what we call fight-flight-freeze or FON. That is, the FON reaction means that following the instructions of the scammer, we hope that we will be let off the hook by doing so and we can escape this very stressful situation easily. And in that moment, the logical reflective brain shuts down. This is how we are designed by evolution and people act on instinct. So the issue is not the lack of knowledge, but how people can access or cannot access this knowledge under pressure. This is where our project comes in. We combine the real-time phone app with a second piece, an extended reality environment that we are building right now. We want to simulate realistic scam scenarios, how fast-paced, confusing, emotionally lauded these scenarios are. And we will add elements like business, multitasking, because that's how scams actually happen successfully in everyday life. And we want to use this extended reality environment to train participants to pause, recognize the tactics and follow through with learn responses. Because one thing is know what to do and what you should do. And the other thing, the next step is that you could apply these tactics in real time, in the reality. And of course, we want to hire real scammers. So it will be a laboratory situation, right? But still we anticipate positive, significant and positive outcome from this. And I should mention this because it's very important. It's co-designed with older adults, not imposed on them. And this is where sociology comes to mind. It combines social science and engineering because the very first step of the programming is that we will ask Warmbourne Village participants that core group of participants, what they need, what are the knowledge gaps, what are the reasons that they cannot apply their knowledge in these situations. And why we call it whole health is because scams don't just cause financial loss, they lead to stress, shame, and even physical decline when it comes to older populations. Yeah.

Travis

Well, if I was to paraphrase all of that and all of it sounds amazing. And I'm glad that you mentioned the whole health consortium, because I think they do really fantastic work over there. But if I was to paraphrase all of it sounds like that you're going to work with this population to figure out what tools they need first, where their gaps are, help them develop a tool. And then you're going to create someplace where they can practice putting it to work, which just sounds, it sounds great. And in fact, there's part of me that wants to try something like that for myself. And that does though get me to, guess the question that I probably most need help with, which is what are some just basic best practices that I can put into place? Anyone who listens to this can put into place to help keep them safe and more secure and maybe mitigate some of these social engineering scams?

Katalin

Yeah, thank you for this question. So the single best habit is slow down the interaction. Most scams depend on urgency. If someone says act now, that is exactly when to pause. Don't click on unexpected links. Don't use contact information provided in a suspicious message and verify through a known number or website independently of the message that you got. So the practical set of rules that I would say would be useful for everyone. And it's simple. Stop, verify and consult. So stop before acting. Verify through a second channel you already trust. And maybe consult another person if money, passwords, gift cards, crypto, wire transfers or remote access are involved the, also very important, this is a technical tool and I'm mentioning this because I'm hearing from colleagues all over the university and, and also from my friends, how annoyed they are getting because of these multifactor authentication systems, right? So in the past we had two factor authentication that slowed down the decision making process, but now we have multifactor authentication. And here is how it works for slowing down. By the time you go through all the authentication processes that requires you to verify your personality, your identity multiple times, it gives your brain a break and you can let off the hook and you can actually ⁓ have time to realize that, this is maybe I verify myself or I shouldn't give out ⁓ the information that was requested. Also, connect it to that, keep devices updated, avoid sharing the one-time passcodes that you have through the process. Treat any request involving secrecy, payment by gift card, crypto or wire transfer as a major red flag. Unfortunately, verified social media accounts, professional looking emails and Polish voices are no longer proof of legitimacy because as we talked about it, scammers started to use AI already. AI ⁓ is very helpful to correct your mistakes and sound very professionally and look very professionally. So the real defense is not spotting every fake message perfectly. If you get a scam call or message, probably they have multiple red flags, but you have to just identify one weird thing or one red flag that's usually enough to send your brain a message that, hey, this is probably a scam and build habits that make it harder for scammers to rush, isolate and manipulate you.

(music)

Travis

And thanks to Katalin for helping us better understand scams and how we can better prepare ourselves to defend against them. If you or someone you know would make for a great curious conversation, email me at traviskw.vt.edu. I'm Travis Williams and this has been Virginia Tech's Curious Conversations.

(music)