(7 Minute Read)

17 September 2024 / Written by Joe

<aside> 🗞️ TL;DR. I put another downer on your morning/afternoon/evening by arguing that parallel changes in the technological landscape could point to a looming scam headache potentially much larger than today’s. I do use a quaint analogy to lighten the blow, though, so there’s that.

</aside>

Screenshot 2024-09-16 at 06.17.47.png

I discovered the world of Pokèmon later in my life than perhaps most fans did. A lot later, in fact. Having known almost zero about it until about 2 months ago when my kids brought a few packets of cards home, the latter half of this summer has basically been Pokemon bootcamp for me. Now I just about know my deck from my discard pile and a Pikachu from a Porygon. I also know that deep breaths are required when your opponent is likely to clumsily upend the board at a seconds’ notice or, for that matter, upend it entirely on purpose when their favourite Pokemon gets knocked out of the game.

But it’s a couple of aspects of The Pokemon Trading Card Game (TCG), to give it its full name, that I’ve been increasingly connecting in my mind to the internet’s fast-growing scam machine. This post outlines them and what they might mean for the future of fighting digital scams.

Pokemon lesson #1: Don’t let your opponent out-evolve you.

A key part of winning a game of Pokemon is to evolve your own Pokèmon as fast as you can, through stages ‘basic’, through ‘stage 1’ and eventually to ‘stage 2’. A stage 1 Pokemon is a teeny cutesy creature whose defences are laughably weak and attacks even weaker and, being the only type available to players at the start of the game, let’s things start gently as players make early moves and settle in to the game. Stage 1 is akin to a Pokemon’s adolescence, where they can start to better repel any inbound attacks and their own attacks get a bit more wily and capable of inflicting damage. Getting a quick evolution of one of your Pokemon to stage 1, therefore, is a nice early advantage and can set you up well for the middle part of the game. Stage 2 is where the big guns come out. A fearsome stage 2 Pokemon can sit there all day absorbing attacks from your opponent, before unleashing some blistering attack capable of destroying your opponents best Pokemon and their associated game plan in one fell swoop. These power differentials between Pokemon of different stages gives rise to a simple truism of the game: If you can evolve your Pokèmon faster than your opponent, you’re in a good spot to create a lopsided battle.

So here’s the scam analogy:

we’re midway through a battle that won’t end before 2030, and as both attacker and defender currently pass through phase 1, scammers’ attacks may start to accelerate past those of defenders.

We might not be in a good place.

Let’s dive into the analogy a little deeper with a quick recent history of scams. Back in 2020 (and, in truth, many years before that) both scammers and defenders were still in the ‘basic’ stage. The attacks being wielded by the scammers - poorly written text messages, shoddily coded phishing pages and maybe a multi-level-marketing scheme that didn’t scale particularly well - weren’t making defenders lose sleep. On the defending side, moves like email filters and SafeBrowsing browser plugins held the game in balance nicely.

Right now we’re in the midst of ‘phase 1’: Yesterday’s attacks don’t cut the mustard anymore, and our attackers have evolved accordingly. So what’s on the menu of attacks for a phase 1 scammer?

Voice cloning is well and truly in-play. Having played a major role in this year’s most audacious business-focussed scam which hit ARUP, a global construction company to the tune of $25M, more reports are emerging of this tactic being used against those who hold the keys to the world’s heftiest corporate bank accounts.

Deep-fakes? They’re fully in-play too. Fake investment ads bombard social media users daily with promises of gargantuan profits, and the messaging groups that these ads lead to continue that bombardment, awash as they are with pretend people cashing in on pretend fortunes and posting photos of their pretend Bugatti-fuelled Dubai lifestyles.

As a counter-balance, the tech industry has itself jumped headfirst into the era of AI and is able to help fight back with early uses of defensive AI. But with the generative AI of today seemingly much more capable of creating fictitious content than identifying it (and at a bargain basement price-point at that - give fal.ai’s hosted Flux LORA a go if you’ve got a spare $2), it doesn’t seem a big stretch to suggest that the defending team’s bench of Pokemons might not be looking so daunting against the threat of today, let alone that of tomorrow.

So where might the game go in ‘phase 2’ - that is, the backend of the current decade? Here’s where things start to get concerning. Pretty much every superlative in the English language has been used to describe the magnitude of advancements in AI that have already happened to now so I won’t try and come up with my own. Suffice to say that, when imagining what might be in store in the next few years AI, of course, looms very, very large. First up, we should expect our opponent’s Pokemon’s war chest of attacks to include at the very least:

fully flawless celebrity deepfake endorsements that tempt new victims into the scam rabbit hole more efficiently than they can dream of today. Flawless not only in their imitations of the target celebrity, but flawless in their use of language, tone and urgency in a way that today’s scammers just can’t pull off.
the current swathe of ‘financial education’ group chats (to which the ads mentioned above lead) to be actual video calls, complete with fully conversant AI avatars giving scale and legitimacy to the hall-of-mirrors financial grooming environments created by their masters.