Scam psychology: How deepfake Walmart callers use your own brain against you

BY KERRY TOMLINSON, AMPERE NEWS

A new round of scam calls shows that criminals are experimenting with AI-generated voices to pose as customer service representatives at big companies like Walmart.

But the technology behind these calls is not as important as the psychology --- the mental tricks that make us fall for the scam.

We look at the scammers' tactics in a recent wave of calls claiming to be from Walmart.

Watch here:

Surprise Charges

The call starts out with a greeting.

"Hey. This is Bryn from Walmart."

Then comes the bad news.

"A pre-authorized purchase of PlayStation 5 Special Edition and Pulse 3D headset is being ordered from your Walmart account for an amount of $919.45."

You didn't order that. And you don't want to pay almost a thousand dollars for a mistake.

But the caller --- an AI-generated voice --- offers you an easy solution.

"To cancel your order or to connect with one of our customer support representatives, please press one."

Lack of support

Press one and you'll connect with criminals, who will likely try to steal your money, make off with your credit card number, download malware onto your phone or computer, and dig into your bank account.

Despite the use of the latest technology to sound like real people, the scammers are targeting your brain more than your ears.

"What we need to do to defend against that is think outside the box," said Rachael Tubbs with security company Independent Security Evaluators.

She studied the psychological tactics cyber criminals use to manipulate you in fake messages.

Here are four popular strategies.

1. Fear

Attackers want you to believe that something bad is going to happen. It could be serious or minor. You need to take action to avoid it.

Example: A fake message says you have to pay a small toll of $5.59 for using an express lane or you could be in "violation" and pay excessive late fees. Both of those sound unpleasant, so it seems wiser to pay the small toll now and skip the headache. But the payment site is a trap set by crooks.

In the Walmart call, you might be worried that you'll be stuck with the $919.45 bill. Or maybe someone stole your credit card number.

"Or if you don't verify this purchase, your credit card is going to get put on fraud alert or something and you're not going to be able to use it anymore. Your account's going to be frozen," Tubbs explained.

2. Urgency

The message presents a situation where you need to act quickly, giving you no time to think.

Example: A fake email tells you to secure your account immediately if you don't recognize the login attempt included in the message. You won't recognize it because it's not a real attempt. The instructions urge you to act fast for your own security.

In the Walmart call, the caller speaks quickly, adding pressure. If you don't press one, you might have to pay up, even if you didn’t make the purchase. There's no callback number provided, so it may seem that this call is your only chance to fix the error.

"Somebody reaches out and says, 'If you don't do this right now, something bad's going to happen.' You go, 'Oh, no!'" Tubbs said.

3. Trust

If the attacker can gain your confidence, they'll be able to manipulate you more easily. As it turns out, we often give our trust away freely.

A Proofpoint report last year showed that 44% of people surveyed believe an email is real if it has familiar branding, like a company logo.

Example: A fake email tells you that your PayPal account is temporarily limited. At the top, you see the PayPal logo. If you believe the branding is real, you'll be more inclined to click the link to see why your account is limited and how to resolve it.

In the Walmart call, the scammers can simply say the word ‘Walmart’ and automatically gain trust.

In addition, scammers are using a number of different AI personalities --- male and female, American and British. The scammers may be testing to see which scam voice people respond to most.

"It's a false sense of trust. So, we don't realize that maybe the person reaching out to us doesn't have the intentions we do," Tubbs said.

4. Curiosity

Much like a clickbait headline, a fake message may claim to have valuable information --- if you click a link or take an action that benefits the attacker.

Example: A fake email claims that your partner is having an affair and the sender has the pictures to prove it. You have to open the attachment to see them, giving the attackers a chance to download malware onto your phone or computer and try to steal money and passwords.

*A fake email in Spanish says your partner is having an affair and they have a picture to show you. Image: Trend Micro*

"They'll use a tactic where, 'Oh, if you don't click this link, you're not going to get all the information you need for something," Tubbs said. "Curiosity is a big one."

In the Walmart call, you may not know if the PlayStation 5 is really charged to your account or not -- and how to cancel it -- if you don't press one.

What to do

You can employ some tactics of your own when dealing with messages and calls. Here are four steps to defeat the scammers:

1. Question -- every call, email and text message. What do they want from me? Could it hurt me?

2. Research -- has this kind of message been used in a scam before? Copy the text and search for other examples online.

3. Verify -- contact the person or company separately to see if it's real.

4. Remember -- what are the tricks attackers use? Do any of the common tactics show up in this message?

"It all ties back to using your critical thinking skills and taking a moment to really investigate each piece of the puzzle before you move forward," Tubbs said.

A WORD FROM WALMART

Walmart says they don't call people out of the blue like "Bryn" and her AI colleagues.

The company's advice is to not respond to the call and go to your own account separately if you want to check for strange charges.

If you find something, contact the company through the information provided with your account.

If the latest wave of calls prove fruitful for attackers, they may continue to pose as Walmart reps. Or they may cycle through other well-known company names to try to gain your trust, generate fear and urgency, and pique your curiosity.

Keep an ear out for these audio fakes and their sneaky manipulation tactics, as there will be many more to come.