How AI Will Become the Phisher of Men
If you have read my stuff, you know I write about metaphysical subjects that I have both researched AND experienced — ghosts, remote viewing, past lives, near-death and shared near-death events. I follow the axiom of ‘write what you know’. And while metaphysical things have been my avocation for decades, my job title for nearly the same time frame has been Clinical Data Manager. I have been catching, cleaning, mapping, and reassembling personal and clinical data for clinical trials for nearly two decades. Along my journey, from NCR paper to AWS, I’ve learned a few things. From blockbuster drugs to embarrassment, from “Big Blue” pharma and IT, I think the reach of data processing has never exceeded our grasp until now. The combination of the recent hack of 23andMe has me extremely concerned — especially so when you consider the unrelenting assault that AI can bring to bear when using that information and then released from “supervised learning”.
If you knew what I know, you’d be able to use AI to engineer a broad-scale phishing attack algorithm using multiple data vectors that target victims on an individual level. Think Karl Rove meets HAL. And like all computer programs using AI, once you set up using ground truth, get that confidence ratio up to 95%, and let it loose in the world with neurolinquistic programming (NLP — which is different than NLP of natural language processing), and deep fake A/V, we’ll have an AI that will know how to manipulate humanity with ease. It’s a con man with unlimited resources and unrelenting effort.
I will use this article to detail my concern, how I would use this information if I wore a black hat, and how you can mitigate SOME of the risks. If you think you can mitigate all potential risks, let me give you a crown and scepter because you are royally screwed.
I was triggered by the 23andMe breach and the scenarios I imagined hit me repeatedly like a bloated birthday pinata where all the kids are sugar-fueled and swing like Tiger Woods. Although, I hear that Elin Nordegren has a decent swing too. Brute force access and psy-ops phishing will be easier — period. Currently, I can create a campaign with no spelling errors, no syntax errors, and a strategic internet footprint (websites, social media accounts, BBB listing) supporting the misdirection. I then add correctly referenced emotional triggers which are specific to you. From tool-swinging, non-Bud Light drinking, conservative dads to liberal lulu-mom’s and their Merlot juice boxes. With the data points you have provided, I can scrape from Facebook, Instagram, LinkedIn, Yelp, Zillow, and public records, and then leverage both facts and emotional triggers to open up your wallet.
This is not new. In fact, I will demonstrate.
Find the top ten affluent zip codes in your city. Save that to a worksheet. These are part of public domain information or you can look it up using a real estate app and select homes over a million bucks.
Look up local business journals or wealth management groups in the same city with Meetup or Facebook. If you like the WSJ, investment groups with a $50,000 minimum investment, or Cody Sanchez, I’m targeting you. Chances are your company name and contact info are on those profiles. That gets added to the worksheet too.
Now, cross reference with sites like PRNewswire because any newsroom or press release website will do. Grab more business names, owner names, owner profiles and pictures, and email addresses. Also, confirm the data you have already collected. Sometimes you will score links to their YouTube or Instagram accounts — both of which make for excellent deep fake ground truth.
Go to LinkedIn and cross-reference the owner’s name, the owner’s image, the business name, the city, and the email address. From that profile, you can usually pick up additional email addresses, phone numbers, and subjects/causes/conferences that can be leveraged. You might find some really valuable deep data like Alma Mater, degrees earned, conferences attended, and people followed. Drill baby, drill!
With the name, phone number, city, state, and email address of both business and personal profiles, you can use reverse lookup to find their home address if it wasn’t in their social media accounts. Same with birthdays and anniversary dates. Now you can cross-reference with the address and zip code to look up their home. know the purchase date and mount, and their potential equity.
If you’re not concerned yet, remember I have not mentioned 23andMe or AI.
With apologies to Brené Brown, I have created a dossier of data but I have not yet joined it to a soul. This is where I look at all your posts across all platforms and build a psychological profile on you. The obvious parts are resorts you have traveled, places you have eaten, and causes you support. The less obvious is to study how you use language. For example, when you are learning something new, do you say, “I see” or “I hear you”? Using NLP, I can now build a psychological profile and use your own thought processes against you.
I can run deeper searches to pull all your blogs, product reviews, and meme comments where you were emotionally triggered and were less likely to be guarded with your language. I collect these words and context because you have given me the specific words which will evoke the desired emotion from you. Again, not new. But the process has become so specific and so subtle as to be dangerous.
This is the same process that Karl Rove started in the 1970’s, and others have perfected, to create targeted direct mailing campaigns. It’s also the same process used by social media and dating sites to keep you engaged and revenue rolling in. Ever notice that when you flip back to a free version of a dating site very interesting people show up? Coincidence?
All of this is targeted marketing performed with freely available data that you have provided. It’s silently collected by cookies which have been collecting data on you for a decade before opting out even became possible. Of course, you can opt-out now because hundreds of dossiers have already been built! And I’m not even going to touch the black or gray areas of stolen data like the FBI’s Carnivore Program which read all American’s emails or the access given to other three-letter agencies by certain cell phone companies.
Here comes the AI aspect. This will make your brown starfish pucker like a frosty toilet seat — all of the aforementioned processes can be programmatically designed so that a dossier of you and your family can be created in minutes AND it can “sniff” databases to track and record any changes like a new address, phone number, or postings so that new locations, causes, verbiage can be updated.
And more AI concerns. Knowledge, and the discipline to learn it, are no longer required. I don’t need to be a programmer to do the aforementioned scraping and dossier creation. I can use a large language model like Chat-GPT and ask it to do the programming for me. Once you learn the correct way to parse the chat through prompt chains, it’s as easy as asking a genie for a wish.
Now, I have omitted a few steps which I have learned and that others don’t know. Like giving your grandma’s recipe for her blue ribbon, 12-hour smoked brisket, I’m leaving out a couple ingredients.
After learning what you will & won’t engage with in the subject line of an email, I am also sifting through your family’s names, pet names, street names, swapping out the letters that look like numbers, adding capital letters to the rest, and adding an alphanumeric character to the front or back. I also look at the dossier and pick up where you were born, married, and live. Those city names are a popular security question and a list of same is easily available. It is this brute force password cracking has me concerned.
With the 23andMe breach escalating from 14,000 customers to over 5 million, that means the subscriber’s password security questions are now available like your grandmother’s maiden name and your father’s middle name. You are now much more vulnerable to both password cracking through force and sites spoofing you into giving up your password. Not only are the 5 million members at risk, so too are the people who did not join 23andMe, but their family members did and then added the data into their family tree.
Now, let’s add AI.
I would go through the dossier and create a listing of variables and I would map those variables into an email template. I would then create an email template that looks something like this:
Hey <dossier_subject>,
I’m <fake_member> and I am the new media coordinator for <group_name>. I’m reaching out because we both know how much <group_interest_1> and <group_interest_2> means to us. Unfortunately, the <problem_trigger_1> has really impacted (NLP_22) our ability to do good things for <group_focus_1> and we could really benefit from your kindness (NLP_49)at this time. Also, I loved your post when you went to <conference_1> and your picture of <emotional_target_1>! I am <NLP_trigger_1> for both <emotional_trigger_1> and <emotional_trigger_2> because they make me feel so <NLP_trigger_2>.
Because of your previous support of <group_name>, I’d like to share with you our new look located at <URL_redirect_homepage>. I’ve shared it with only a select few and they left some very interesting comments at <URL_redirect_yelp> and I welcome your opinion too!
If you have any questions, you can call or email me at <spoof_phone_1> or <spoof_email_1>.
Every item that you see in brackets are dossier data points that belong to dictionaries I can either create from your data, borrow from other sites, or buy from both white and black hat sources.
AI will map in from those dictionary variables and create an email that is tailored to the target based on their dossier profile. If a configuration of variables is unsuccessful, it will keep changing the variables like a safe cracker until it finds the correct configuration that generates a successful conversation and donation.
AI will then assign a confidence score to that configuration, and every subsequent email has to meet or beat that confidence score. In other words, it’s learning. If the email fails, that is tracked too. AI can then start sending different emails about various subjects and interests you have. The emails will be as frequent as those extended car warranty contacts except it will be using words that make you more at ease and coming from places that represent the causes you will contribute to freely. These configurations can then be quantified by subject matter and confidence ratio to be sent to others with similar profiles.
The scary thing? This is the next iteration of targeted marketing where the consumer won’t know the difference between a friend reaching out verses a marketing campaign. It can extend beyond an email. It can be a spoofed voice mail or a video from a friend, acquaintance, or influencer that is completely fabricated. Think of the ads in the movie Minority Report and know that we’re already there.
Apart from being a complete Luddite, what can you possibly do to mitigate the problem? I have some suggestions — both low tech and high tech.
When I get 22 likes or claps or some affirmation that this information is of value, I’ll write it up. Thanks for reading!
