Another security issue has hit leading voice assistants—and this time it isn't manufacturers recording our conversations. A new scam has been exposed, where fraudsters are hiding behind convenient auto-dial features to lure unsuspecting users into a trap. The fraudsters have realized that people search for businesses and then call them, all without viewing the online entry for the business itself. And that has opened up a major risk that those businesses are not what they might seem.
The scam works by paying online search engines to promote business entries, which then feature prominently when a search is conducted. "Scammers are creating fake customer service numbers," the Better Business Bureau warns, "and bumping them to the top of search results, often by paying for ads. When Siri, Alexa, or another device does a voice search, the algorithm may accidentally pick a scam number."
It turns our that the assistants aren't as good as we are at spotting those fake ads and picking an alternative. And we're not actually that good, either. In June, reported that "as many as 11 million false business could be masquerading in plain site on Google Maps," essentially conducting exactly the same scam.
"These scammers use a wide range of deceptive techniques to try to game our system," Ethan Russell, product director for Google Maps acknowledged at the time. "As we shut them down, they change their techniques, and the cycle continues."
A Wall Street Journal investigation claimed that "hundreds of thousands of false listings were sprouting on Google Maps each month," with search queries "overrun with millions of false business addresses and fake names... luring the unsuspecting to what appear to be Google-suggested local businesses."
The Google Maps scam focused on infrequently called but important services—plumbers, electricians, mechanics. The point being these were unfamiliar businesses where a high-ranking listing might lead to consumer trust. And now the voice assistant scam has managed to widen that net, it doesn't need to defeat a visual search engine inspection, it relies on tricking the AI engine by prominence and keywords.
The Better Business Bureau warns that even seemingly legitimate, familiar businesses can be drawn into this voice assistant scam. "You need the phone number for a company, so you ask your home’s smart device to find and dial it for you. But when the company’s 'representative' answers— it turns out the 'representative' isn’t from the company at all."
Check out the full article at http://BBB.org/VoiceSearch. (And thanks @GMA for helping us spread the word!) https://twitter.com/GMA/status/1162333621195165696 …
If the scammer does trick a user into placing a call, they may charge for ghost service or redirect the discussion entirely. There is also a risk the fraudster "may demand remote access to your computer or point you to an unfamiliar website." Two examples cited by the "ethical marketplace," were a consumer calling an airline to change a reservation and being tricked into buying a "special promotion" gift card and another consumer calling a helpline for a printer and being targeted by a technical support scam.
Again, similar themes to the Google Maps issue where the search giant explains that fraudsters "charge for services that are actually free, defraud customers by posing as real businesses, and impersonate real businesses to secure leads and then sell them."
Unfortunately for voice assistant users, there isn't any clever advice to avoid such scams—it's back to basics, I'm afraid. Check numbers yourself, look up businesses to make sure listings are accurate. And if you do auto-dial, look for any cues that the call is not legitimate and hang-up at the first sign of trouble. And certainly don't share any personal or financial information.
In 2018, Google Maps "took down more than 3 million fake business profiles." No stats are yet available for voice assistants specifically, but if it's a scam that works, it will scale quickly. And voice assistants are themselves scaling quickly, making this the ideal platform for fraudsters to do their work. For the millions of you still trusting enough to leave these devices plugged in and connected at home—you have been warned.