Coronado AI Club

About Us

Next Meeting

Topic Ideas

Comments

Log in

AI Is Helping the Scammers. Let It Help You Too.

Written by

Tom Lookabaugh

in

, , ,

Artificial intelligence is rapidly empowering cybercriminals. But it can also help us fight back.

That matters because the threat landscape is changing fast.

Phishers are using AI to make fully convincing fake websites, taken to industrial scale by a Chinese cybercrime network.   Hackers exploit trust in the AI services themselves, with phishing campaigns targeted at ChatGPT, Claude, Copilot, and DeepSeek.

Already in 2025, Americans reported nearly a billion dollars in AI-powered scams.  Impersonation scams, now increasingly turbocharged by AI, cost nearly 3 billion dollars by 2024.  Older adults are a particular target with a four-fold increase in losses of $10,000 or more between 2020 and 2024.  Deepfakes are simulating trusted parties in image, video, audio, and text, and the quality is so good that even seasoned experts see the end of effective detection.

And, as another recent post of ours noted, even the AI platform companies are surprised at how well their models find software vulnerabilities – in almost every piece of computer code.

We need to get AI on our side too.

So, I deputized ChatGPT to act as a security consultant and perform a systematic security audit for me and my family.

Rather than jumping directly into recommendations, I took a top-down approach. I wanted to understand the problem before deciding on solutions.

My initial prompt was:

You are an expert security consultant who will review and advise me on steps I can take to improve the cybersecurity posture of myself and my family. My wife and I are retired and have significant real and financial assets. We are worried about identity theft and theft of our assets. We lock our house but we can’t be sure no one will break in. We travel frequently both domestically and internationally. As a first step, please suggest what security issues we should consider so that we can narrow on ones to further investigate.

That simple prompt launched a surprisingly productive dialogue.

Defining the Threats

The first thing ChatGPT helped me do was identify what I should actually worry about.

Using context from our previous chats, it generated a list of threats and prioritized them. It also pointed out some risks that were probably not worth losing sleep over. For example, I am unlikely to be targeted by a nation-state intelligence service, though my friends working in the military or military contracting might well be.

Most of the time, ChatGPT’s use of personal context was helpful. But it can narrow too far based on assumptions it had formed about me. If that happens, it’s easy enough to tell it to answer “as if you know nothing about me.”

One of its most useful recommendations was to create a formal threat model.

Professional security teams do this routinely. Before deciding how to defend something, they carefully define what they are defending against.

My own strategy was to ask ChatGPT for a superset of possible threats so I would not overlook something important.

But I was also able to use my own experience to able to extend its scope too.   For instance, ChatGPT identified identity theft leading to fraudulent credit card accounts. But a friend had recently experienced something stranger: someone opened a bank account in his name – possibly as a vehicle for money laundering. I asked ChatGPT to explore that scenario and add it to the threat model.

That discussion leads to ChexSystems, a consumer reporting agency used by many banks when opening new accounts. Much like the major credit bureaus, it allows consumers to place security freezes and other protections on their reports.   And I’ve done that now.

Building an Asset Inventory

Once we had discussed threats, ChatGPT suggested creating a detailed inventory of assets to match against threats.

Again, this is something security professionals routinely do. You cannot protect assets you have forgotten about.

I asked ChatGPT to generate a comprehensive list of assets that people in circumstances similar to mine might possess.

The resulting inventory went far beyond financial accounts.

It included email accounts, cloud storage, mobile devices, computers, identity documents, recovery methods, insurance policies, social media accounts, domain names, home automation systems, travel accounts, investment accounts, estate planning documents, and many other categories.

This inventory will also be useful to my executor, so I managed to kill two birds with one stone.

Matching Threats to Assets

At that point I had two important pieces:

  • A threat inventory.
  • An asset inventory.

ChatGPT then recommended creating a prioritization matrix.

This allowed me to connect specific threats to specific assets, estimate likelihood and impact, and focus my efforts where they would matter most.

From there, I worked through each significant threat and asked ChatGPT for possible mitigations.

The result was a list of roughly twenty concrete actions I am now taking, along with some new products and services that I decided were worth adopting.

A Reasonable Question: What If This Chat Leaks?

While conducting the audit, I realized there was another threat worth considering.

What if the chat itself were exposed?

After all, I was discussing my security posture with an AI system.

I asked ChatGPT exactly that question.

The answer was sensible.

There is some value in understanding a person’s security architecture. For example, I discussed which password manager I use. However, I was careful not to disclose actual secrets. I did not provide passwords, account numbers, recovery codes, or detailed implementation information. I also discussed potential actions in general rather than documenting exactly which defenses I had chosen.

ChatGPT summarized the issue nicely:

Discuss security architecture, but do not disclose the secrets that implement it.

Some Examples of What I Found

Everyone’s situation is different.  But here are a few examples of the kinds of questions that emerged.

How secure are your account credentials?

Most people know weak passwords are a problem. Increasingly, best practice means using a password manager populated with strong passwords, using passkeys when available, enabling multi-factor authentication, and considering hardware security keys for especially sensitive accounts.

How secure is your email account?

Email accounts are often the master key to everything else. If an attacker controls your email, they can frequently reset credentials for many other services.

What happens if someone steals your phone?

Many people rely heavily on biometrics such as Face ID. But what happens if someone shoulder surfs to observe your PIN and then steals the device, using the PIN to bypass the biometrics? What accounts become accessible?

Could someone perform a SIM swap?

If an attacker convinces your mobile carrier to transfer your number, they may begin receiving text messages intended for you—including authentication codes.

How secure are your recovery methods?

Recovery systems are essential when something goes wrong, like forgetting a password or losing a device. Unfortunately, they are also a favorite target of attackers. Every recovery path deserves scrutiny.

What happens if someone breaks into your home?

Could a physical burglary become identity theft? Are important documents, backup devices, recovery codes, or financial records adequately protected?

How would you handle a deepfake emergency call?

Imagine your grandson calls from a jail in Tijuana and urgently needs money wired immediately.

His voice sounds just like him.

He knows surprising personal details (though maybe not so surprising since he lives his life on his socials).

He sounds frightened.

In the age of AI, how would you verify that the caller is really your grandson before acting?

Final Thoughts

The most surprising part of this exercise was not any individual recommendation.

It was the process.

A good security audit requires thinking systematically about threats, assets, vulnerabilities, and defenses. Historically that has been the domain of professional consultants and security teams.

Today, a capable LLM can guide an ordinary person through much of the same process.

The criminals are already using AI.

You should too.

Do your own audit.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts