AI-Driven Phishing Scams: Railway and Delivery Service Fake Websites Are Getting Harder to Spot | FRIDAY DIGITAL

AI-Driven Phishing Scams: Railway and Delivery Service Fake Websites Are Getting Harder to Spot

Introducing new-age countermeasures! More than 1.71 million cases reported last year alone!

|NEWS
  • Share on Twitter
  • Share on LINE
Text of a phishing e-mail pretending to be from an ETC inquiry service.
When you click on the provided link, a screen appears attempting to steal personal information such as your address and name, followed by credit card information. It is created by copying the real site and is highly sophisticated.

The sophistication of the raging phishing scam

“Your account has been temporarily suspended.”

“Update your account information and get a chance to earn up to 10,000 points!”

With various attention-grabbing phrases, phishing scams are flooding inboxes with URLs that lead victims to fake websites nearly identical to the real ones, attempting to steal credit card and personal information. Reports of suspicious emails and messages reached over 1.71 million cases in 2024 alone, setting a new record for the worst year. Makiko Morisawa from the National Consumer Affairs Center’s Consultation Division 2 explains:

“Phishing emails in the past were easy to spot because the Japanese was unnatural or the URLs looked suspicious. However, today the sentences are much more natural, and the transition to fake websites is seamless. As a result, more and more people are falling victim.”

While the methods remain traditional, they have been updated with new techniques, including the use of AI, according to IT journalist Hiroshi Mikami:

“A recent trend is that phishing emails impersonate trustworthy organizations based on current events. For example, during tax season in February and March, they pose as the National Tax Agency, and during bonus season, they impersonate electronics retailers or e-commerce sites. This adds to the realism. Delivery services are also frequently exploited.”

The pages displayed after clicking the URLs are becoming more sophisticated as well. Eiichi Kanayama, an expert from the Information-Technology Promotion Agency (IPA), expresses his outrage:

“Look at this screen for the ETC inquiry service. The specifications are identical to the real site down to the smallest details. What’s worse is that after stealing personal information, they redirect the victim to the real homepage, which shows just how malicious these scams are.”

Two Step Authentication is also breached

Currently, many web services use one-time passwords or send authentication numbers to specified addresses as part of two-factor authentication. To bypass this, real-time phishing has been developed. Mr. Mikami, mentioned earlier, explains this using internet banking as an example:

“When a user enters their ID, password, or other information on a fake site, the information flows to a criminal group. The group immediately enters that ID and password on the real site. Then, a one-time password is sent to the user’s phone via SMS, making them believe it is a legitimate site. At this point, the user enters the one-time password on the fake site without suspicion, allowing the criminals to bypass the two-factor authentication. Since the timing of the authentication message appears normal, the user doesn’t realize they are interacting with a fake site until it’s too late.

While phishing scams have been increasing in online banking, they have recently started to appear on e-commerce sites. A case involving a fake Amazon site utilizing real-time phishing methods has also been reported.”

What can we do to avoid being tricked? Experts on phishing countermeasures unanimously agree: “It’s important to stop trying to determine if a message is real or fake.”

“With the introduction of AI, it has become nearly impossible to distinguish between real and phishing messages. Even if the email seems genuine, the rule is to avoid clicking URLs in emails or SMS messages. Even if you receive a message that seems urgent, like ‘Unauthorized access detected,’ it’s better to avoid clicking any URL in the email and instead log in via the official website or app. This is the best way to prevent damage.

It’s also important to prevent receiving phishing emails altogether. Google’s Gmail spam filter is excellent at blocking fake emails. Since you can also receive emails from other providers through Gmail, it’s a good idea to actively use it.” (Mr. Mikami)

What should you do if you accidentally open a fake message? Mr. Kanayama, mentioned earlier, explains:

“In most cases, just opening an email or URL doesn’t immediately cause harm. As long as you don’t enter personal information, you’re generally fine. However, if you use the same password across multiple sites, there’s a chance that your other accounts could also be compromised. If you do accidentally enter a password, you should immediately change it.”

If, for some reason, you enter personal information, a countermeasure table is provided for reference.

It’s nearly impossible to tell these scams apart now. Even if you’re curious, the best starting point is to avoid clicking any URLs in suspicious emails.

There is no end to the number of cases of text messages sent by short mail, which are deceptive of financial institutions. They are trying to create a sense of crisis with messages such as “Important confirmation.”
Fake websites imitating JR East’s “Ekinet” service are also indistinguishable from the real thing. The fake websites deceive by claiming that if you don’t do anything, you will be automatically withdrawn from the membership.
Fake advertisements on social networking services that deceive users about celebrities such as Yusaku Maezawa have also appeared, from which information is extracted.

From the February 21-28, 2025 issue of “FRIDAY”

  • PHOTO Courtesy of IPA (1st to 4th photos)

Photo Gallery6 total

Featured Articles

Photo Selection

Check out the best photos for you.

Related Articles