In-depth

The future of spam is scary

AI, deepfakes and other tech could make spotting spam tougher, but spam fighters are using the same tools to keep our inboxes clean

Incoming spam attack

Spam is easy to spot. Automated systems catch the vast majority of it, though with hundreds of millions of dodgy messages sent daily, the odd message still slips through the net to your junk email, where it hopefully languishes unnoticed.

That's down to serious effort on the part of email companies Google, Microsoft and the rest but their job is about to get a lot harder as spammers turn to AI, as well as deepfakes, social bots and other intelligent technologies. "Deception is the goal of most modern spam attempts," said Emilio Ferrara, research assistant professor at the USC Department of Computer Science, and the author of a recent paper on the subject of AI and spam. "AI is providing more and more powerful tools to automatically generate deceptive content including text and video. Although the full implications are impossible to predict one can speculate that with increasing technological capabilities the abuse and its consequences will get worse."

Using AI for spam

That first role means it will be harder for automated systems to spot spam. "We've entered an era where we can no longer trust our own inboxes," said Max Heinemeyer, director of threat hunting at Darktrace, a British AI security startup valued at more than a billion dollars. "Across our customer base, we are seeing the early signs of attackers using artificial intelligence to supercharge their creation of spoof emails generating communication that, for the average person, is virtually indistinguishable from genuine communication."

The rise of AI comes via a few different avenues, and all can be abused by spammers. Neural networks that can read text, understand the context of an image and write believable messages all without human interaction so spammers can build more realistic, personalised messages, making it more difficult to filter them out from legitimate mail. And if email providers can't spot spam, it's fair to say plenty of people will be caught out too, raising the risk of phishing attacks as well as mass marketing of dodgy products that usually fill spam emails.

"This only requires relatively simple sequence-to-sequence machine learning which could be installed on an infected device in order to monitor emails and conversations of a compromised victim," said Heinemeyer. "After a period of monitoring, the AI could tailor phishing messages to mimic the message style of the victim to particular contacts in their address book, in order to convince them to click on a malicious link."

There are other types of spam beyond the messages clogging up our email inboxes. Spammers have also turned to messaging apps, search results and social media, with bots promoting links to fake reviews and websites selling dodgy wares, be it off-brand sunglasses or hair-loss prevention pills. Those can be written by humans, but it's much more profitable if those bots are automated, and the most convincing ones use AI to react to humans. "Cyber criminals are innovators they are always looking for new ways to reach more victims, more quickly to ultimately make more money," said Heinemeyer. "Spam campaigns today take a group of around 50 cyber criminals, who send about 50,000 emails a day with a success rate of about 20%. With AI in the picture, it would only take two attackers to create code that could generate two million emails a day with an 85% success rate, making their attacks significantly more profitable."

AI also makes it easier to build so-called "deepfakes", digitally altered or generated images and video that look real. Sometimes the content can be an entirely false person, handy for an avatar for a fake social account, but the same idea can be applied to text or pictures to make spam specifically tailored for you. "It can be used for example to produce personalised spam targeting individuals using information about their friends (pictures, videos) to produce targeted deepfakes or digital avatars of them," said Ferrara. Would you be more likely to open a spam message if it came from a Twitter feed with an avatar that looked like your friend or pretended to be an email from a contact you have in your email account?

Fighting spam with AI

Of course, the white hats of the tech industry also have access to AI and Google, with its thousands of software engineers, is thankfully rather better at neural networks and machine learning than the average spammer. "It's surely a doomsday scenario, but we have seen enough already to know that without countermeasures these spam technologies can get out of hand," said Ferrara.

Google has long been using neural networks to spot spam, bringing its self-reported rate of spam detection to 99.9%. But it's going further to target the last few spam messages slipping through, while also cutting down the number of legitimate messages that get snagged in its net. The company recently detailed how it's battling spam via its machine-learning system TensorFlow, using it to look for patterns in the thousands of bits of data that Google analyses to see if a message is spam or not, personalising that based on what Google knows about someone's email habits. "Using TensorFlow has helped us block image-based messages, emails with hidden embedded content, and messages from newly created domains that try to hide a low volume of spammy messages within legitimate traffic," Gmail security product manager Neil Kumaran explained in a blog post earlier this year. That added up to an extra 100 million messages blocked per day.

Google's not the only one. In June, Twitter bought startup Fabula AI to help the social media service use artificial intelligence to battle back against spam and abuse, with Twitter saying earlier this year that fake and spam accounts make up as much as 5% of its active accounts. And last year, Microsoft said it had improved its filtering using AI-based techniques, training its system by scanning 18 billion links and attachments.

There are other automated, intelligent systems to push back against spam, including New Zealand security firm Netsafe's Re:scam, a chatbot that uses AI to reply to spammers in order to eat up their time and drive up costs. Whether it reduces spam remains to be seen, but the ensuing transcript of the exchange between the chatbot and the spam-sending scammer is amusing.

The scale of the problem means automated protections are key to winning the battle against spam it's too big of a problem for us humans to manage, making it the perfect place to put AI to work. Spam is spreading and it's getting smarter thankfully, we have the same tools to battle back. "We cannot expect the general public to dedicate time to becoming experts in cyber security. What's more, AI attacks will be too clever and stealthy to combat than with other AIs," said Heinemeyer. "This is one arena we'll have to give up control to intelligent systems, not take it back."

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021