Checklist 408: Family Passwords and Smishing, Revisited

Family Passwords: A New Essential in the Age of AI Scams

In today’s digital landscape, the concept of a “family password” has evolved from a child safety tool to a critical measure against sophisticated scams powered by artificial intelligence. Originally designed to protect kids from potential abductors, these secret passphrases are now being championed as a way to safeguard families from AI-driven scams, including voice cloning and deepfake technology.

AI-Enhanced Threats on the Rise

A report by Wired highlights the growing menace of AI-powered scams. Criminals are leveraging machine learning to create deepfake videos and clone voices with just seconds of audio. These tools are being used in fraudulent schemes, such as fake ransom calls, where scammers impersonate family members in distress to extract money.

Rachel Tobac, CEO of SocialProof Security, revealed that such scams are alarmingly common, with “a few families every day” falling victim to AI phone-call attacks. The Federal Bureau of Investigation has issued a recommendation urging people to establish secret code words or phrases to verify identities during emergencies.

How Family Passwords Work

The idea is straightforward: if someone claiming to be a loved one contacts you in a state of urgency, you ask them to provide a pre-agreed passphrase. This simple step can expose impersonators and prevent emotional manipulation.

However, experts warn that the sense of panic instilled by scammers can make it difficult to remain composed. Rachel Tobac suggests additional verification methods, such as texting a word for the person to read back.

What Makes a Good Passphrase?

Security professionals and Starling Bank in the UK advise using passphrases that are:

• Unique: Avoid easily guessed words like birthdays or pet names.
• Private: Do not share or joke about your passphrase on social media.
• Memorable: Simple, quirky phrases like “cheese puffs” or “rainbows and dragons” work well.

Tobac emphasizes the importance of privacy, pointing out that passphrases lose their utility if publicly disclosed. She also suggests using alternate methods of verification, such as texting a word, especially in situations where the person may be too disoriented to recall a passphrase.

While the rise of AI tools offers incredible potential, it also demands a shift in how we protect ourselves and our families. Implementing a family password is a simple yet effective measure to counteract these evolving threats. As Tobac aptly puts it, practicing “polite paranoia” is no longer optional in today’s world—it’s essential.

Wave of Toll Phishing Scams Hits U.S. Phones: What You Need to Know

A recent surge in toll-related phishing scams, known as smishing, is targeting residents across the United States. Fraudulent text messages purporting to come from toll operators like E-ZPass warn recipients of unpaid tolls and fines. These scams are part of a broader wave enabled by new phishing tools and tactics, according to a report by Krebs on Security.

Smishing Evolves with Advanced Tools

The phishing wave stems from a commercial phishing kit developed in China, designed to mimic toll operator websites on mobile devices. These kits are tailored for specific U.S. states, including Massachusetts, Florida, California, Colorado, and more. Some state transportation departments, like Massachusetts, have issued public warnings about the threat.

Ford Merrill of SecAlliance notes that the ultimate goal of these scams is not just small payments but rather phishing personal and financial data to exploit victims further. Stolen payment card details are used for mobile wallet transactions, online purchases, or even money laundering through shell companies.

Expanding Targets and Delivery Methods

This new scam builds on past phishing efforts that impersonated shipping companies, customs authorities, and even governments. Toll road phishing is a fresh approach that catches people off guard. Additionally, fraudsters now use channels like iMessage and RCS, which are harder for telecom providers to filter, making these attempts more likely to succeed.

Even people who don’t own cars or drive toll roads are receiving these texts, suggesting that phone numbers are selected at random rather than based on toll road usage.

Why These Scams Are Dangerous

Phishing sites linked to these texts are operated in real-time by criminals and are highly dangerous. If visited, these sites can extract sensitive information from victims almost immediately.

Krebs on Security emphasizes that responding to or interacting with these messages is risky. Merely replying, even sarcastically, signals to scammers that your number is active and monitored, increasing your vulnerability.

What to Do If You Receive a Smishing Attempt

1. Ignore or Delete: Do not reply to or click on any links in suspicious messages.
2. Verify Independently: If you’re concerned about outstanding tolls, contact your local toll authority directly through their official website.
3. Report the Scam: The FBI encourages filing complaints through the Internet Crime Complaint Center (IC3.gov). Include the phone number that sent the text and the fraudulent site link in your report.
4. Spread Awareness: Inform friends and family to help prevent others from falling victim.

As smishing grows more sophisticated, awareness and caution are essential. Avoid engaging with unsolicited texts, verify any claims through official channels, and report scams to authorities. Staying informed can help protect against these evolving threats.