Not all FBI advice is valid and some can be dangerous
Warning that the Federal Bureau of Investigation is wrong, very wrong indeed, about recommended mitigation advice for people who may fall victim to email phishing scams isn’t what I thought I’d be doing today, yet here we are. Google has already alerted Gmail users to a second wave of scam attacks, highlighting three particularly prevalent attack methodologies, and the mitigation advice offered is mainly sound and sensible. The FBI, however, has also warned of seasonal phishing scams, and some of the mitigation advice is, in the opinion of many security experts, very wrong indeed. Here’s what you need to know.
Where The FBI Phishing Mitigation Advice Goes Wrong
The FBI recently issued a renewed warning about the dangers of seasonal phishing attacks against Gmail, Outlook and Apple Mail users. The advice offered up by way of mitigation was, for the most part, solid enough. The advice offered up by way of mitigation was, for the most part, solid enough. Verify website addresses before visiting them, be wary of too-good-to-be-true deals and use secure payment methods. Sure, the use of link-hovering attacks has complicated the URL-checking advice a little, but it remains sage, nonetheless.
Less so, however, is one piece of advice still being touted by the FBI as somehow relevant as 2024 moves into 2025: check the spelling used in any correspondence. While this is relevant in the context of URLs that use alternative spellings and character sets to try and fool the eye, when it comes to the email itself, I’m afraid that you can no longer rely upon the attackers to make spelling mistakes or be sloppy with their grammatical correctness in whatever language is being used. It is possible this is just poor communication skills on behalf of the FBI itself, of course, and it really means spelling mistakes solely in links. However, that isn’t how it reads to me or, I suspect, to plenty of others—especially those who are the intended target, the non-techie public who are most at risk.
What The FBI Should Have Said
Here’s the thing, I’m actually a big fan, if that’s the right word, of FBI public service announcements and warnings as they are usually 100% spot on in terms of alerting the public to security issues and how to mitigate them. Take the recent story about the increased use of AI-generated phishing attacks against smartphone users and the advice to hang up and create a secret word, for example. The FBI public service announcement around the use of AI even confirmed that “criminals use generative AI tools to assist with language translations to limit grammatical or spelling errors for foreign criminal actors targeting U.S. victims.”
Referring to recent reports suggesting massive increases in credential phishing email attacks, Callie Guenther, senior manager of cyber threat research at detection and response provider Critical Start, said that the rises “align with the expanded use of generative AI, which enables attackers to produce natural-language phishing content at scale, localize campaigns across languages, and automate deep personalization.”
What the FBI should be saying is what it said in that other PSA, that generative AI is now at the point where it’s good enough, and cheap enough, for criminals to be using it to create spelling error-free and grammatically correct phishing emails in any language so don’t rely on that old “check for errors” advice when it comes to mitigation.
I have reached out to the FBI for a response.
