The golden age of scammers: AI-powered phishing

Original Article ↗ Hacker News Discussion ↗

Protecting Less-Tech-Savvy Relatives

  • Many argue the most urgent action is helping parents/elderly family set up 2FA/MFA, ideally in person.
  • Hardware keys and backup codes are favored for reducing account takeovers, but people stress also planning for account recovery.
  • Some describe using shared TOTP secrets within families as an out-of-band way to verify identity during suspicious contact.
  • Several urge explicit conversations with older relatives about scams (phishing, “investment,” “romance,” “grandchild in trouble,” gift-card scams).

Effectiveness and Limits of 2FA/MFA

  • Commenters note conventional MFA (SMS/TOTP) does not stop phishing sites that proxy logins and steal tokens in real time.
  • Hardware security keys / WebAuthn are cited as highly effective against phishing, with one large company reportedly reducing employee phishing to zero after adopting them.
  • Others emphasize that none of this helps against scams where the victim is simply convinced to send money.

Real-World Scam Experiences

  • Multiple detailed anecdotes: fake ISP support, IRS threats, “tech support” from overseas, deepfake-style Elon Musk crypto promotions, gift-card and Bitcoin QR scams, “your relative is in jail” calls.
  • Banks and some retailers sometimes intervene when they detect likely scams (e.g., elderly customers withdrawing large sums or buying many gift cards), but this is inconsistent.
  • One story describes a highly orchestrated, multi-day scam that extracted $25k from an elderly victim despite some bank resistance.

AI and Phishing Evolution

  • People expect AI to remove “bad grammar” as a phishing tell; others say now overly polished language can itself seem suspicious.
  • Some note AI can be instructed to mimic imperfect language, teenagers, or non-native speakers, making detection harder.
  • A few report already seeing AI-like phishing and deepfake-style scam videos.
  • Others are surprised AI scams aren’t more widespread yet, suggesting reasons: existing low-tech methods are already profitable, AI stacks are not turnkey for criminals, and economics/ROI may not yet favor large-scale AI deployment.

Biometrics, Device Fingerprinting, and Security Debate

  • Concerns that AI-driven phishing will replay captured device profiles and behavior to bypass fraud detection.
  • Strong criticism of biometrics and behavioral signatures: they are inferrable, can be spoofed, and unlike passwords cannot be rotated after compromise.
  • Some argue current approaches are “least bad” given what banks/processors will pay for; others think we’re relying on identifiers (like SSNs) never suited for authentication.

Email, Browsers, and Platform Responsibility

  • Several blame email clients and browsers for hiding full email addresses and URLs, eroding users’ ability to inspect links.
  • Corporate “safe link” and tracking systems that replace real URLs with long opaque redirects are criticized for training users to click unreadable links while claiming to improve security.
  • Some see this as mainly about marketing/tracking rather than safety, and describe tension inside companies between security and marketing priorities.
  • Broader frustration that “legit” businesses increasingly resemble scammers in UX and communication style, shrinking the gap between real and fraudulent messages.

Telecom, Robocalls, and Voice Spoofing

  • People ask why carriers don’t block foreign-origin robocalls or caller-ID spoofing more aggressively; one answer is that carriers profit from every call.
  • There is growing anxiety about voice cloning: even a single recorded “yes” or short call could be misused for social engineering or voice-based authentication.
  • Some recount near-misses where only a Western Union clerk or bank employee stopped a “frantic relative” payment scam; they note this was possible even years ago, before current TTS advances.

Education and Social Response

  • Many advocate a cultural shift akin to “talk to your kids about drugs,” but for scams: a continuous, explicit education effort for older and vulnerable people.
  • There is pessimism that high-trust social norms will erode as AI makes it harder to distinguish genuine communication from sophisticated fraud.