The anatomy of a scam: How AI and the dark web fuel financial schemes, and ways to stay safe

Wells Fargo reports scams increasingly target consumers using AI and deepfake technology, emphasizing the need for heightened awareness and vigilance. (PeopleImages // Shutterstock/PeopleImages // Shutterstock)

By Jennifer Block Martin for Wells Fargo

The anatomy of a scam: How AI and the dark web fuel financial schemes, and ways to stay safe 

In our increasingly digital world, the primary target for scammers isn’t always your bank’s advanced systems. It’s often you, the consumer. “Scammers prey on your trust, your emotions, and your wallet,” said Wells Fargo’s Sarah Gosler, a globally recognized cybersecurity leader and expert in human-centric defense. She’s known for reverse engineering human behavior to outsmart adversaries. Her team focuses on empowering customers to be their own best defense against online threats because, as she noted, “consumer awareness is a critical component of strong cybersecurity.”

With the rapid evolution of AI and deepfake technology, scams are becoming incredibly sophisticated and harder to distinguish from reality. Imagine realistic fake videos or voices that perfectly mimic someone you know or a company you trust. Understanding how these impersonation scams operate is the most crucial step you can take to protect yourself and truly outsmart the criminals.

Below, Gosler shares these insights and scam prevention tips.

Key takeaways

  • The rapid evolution of AI and deepfake technology has made financial scams incredibly sophisticated and harder to distinguish from reality.
  • Scammers deceive their targets using fake emails, texts, or calls that look or sound legitimate.
  • Cybercriminals build a profile on their targets by collecting personal data from social media, public records, and the dark web to build convincing attacks.
  • Emotional triggers like fear, urgency, or the promise of a reward are used to pressure people into acting hastily.
  • Because they don't have access to secure banking systems, malicious actors impersonate banks and trusted organizations using data collected from the dark web, relying on tricking individuals into voluntarily providing personal information or account access.

What are scams and how do they typically begin?

At their core, scams are deceptive schemes designed to steal your money, your identity, sensitive personal data, or gain access to your accounts. “Scammers are master manipulators. They exploit natural human responses like urgency, distraction, fear, or even the promise of a big reward,” Gosler said. “They want to pressure you into making quick decisions before you have a chance to think clearly or verify.”

These attacks often begin with cybercriminals building a profile of their targets by meticulously piecing together digital breadcrumbs of your information that they’ve collected in various ways.

  • Fake emails, texts, or calls that look or sound incredibly legitimate. They're designed to trick you into clicking harmful links or sharing private, sensitive details.
  • Deepfakes and synthetic media. Fraudsters use AI to create fake videos or voice recordings that perfectly impersonate people you know and trust, like family, friends, or your bank.
  • Credential theft. If they steal your login for one website, they'll try it everywhere, like a master key. "This is why using unique, strong passwords for every online account is absolutely vital," Gosler stressed.
  • Combining old and new tactics. They might use traditional methods like mail theft to steal physical documents such as checks or utility bills. Then, they combine that with AI-driven data scraping. This helps them mine even more information and build a comprehensive target profile.

Where do scammers collect and use your personal information?

Cybercriminals are constantly assembling bits of personal data from various sources to build convincing attacks. From social media, they might extract birthdays or names of family members and pets, details often used in passwords or to personalize phishing attempts. Public records can reveal your address and property ownership, which may help impostors bypass identity checks. These fragments of information make scams feel alarmingly personal and authentic, all designed to gain your trust and catch you off guard.

Unfortunately, the cycle of scams and fraud is fueled by stolen personal data. According to Javelin Strategy, 7 in 10 victims who lost money to a scam were also tricked into handing over personally identifiable information. Top stolen information included email addresses (43%), phone numbers (38%), and banking details (28%).

What is the dark web?

Think of the dark web as a hidden part of the internet that’s not indexed by regular search engines. It’s where stolen personal and financial data from various data breaches is anonymously bought and sold. “Scammers frequent these hidden marketplaces to acquire vast amounts of personal details: names, addresses, email addresses, passwords, purchase histories, and even Social Security numbers,” said Gosler. “In many cases, this stolen data from the dark web is the starting point of the sophisticated scam attempts we see today.”

Malicious actors impersonate banks and trusted organizations using data they’ve collected from many sources, including the dark web, not because they have access to secure banking systems. “Your financial institution is almost never the source of the scam,” Gosler said. “Scammers’ entire strategy relies on tricking you into voluntarily providing more personal information or account access.”

Note: References to the dark web are for education only. Do not access, monitor, or engage with content on the dark web, since doing so may introduce financial cybersecurity risk.

How is the scam presented?

Once scammers have gathered enough personal data, they launch their attack. You might receive a call, text message, email, or social media message generated with sophisticated tactics that make the message appear to come from a legitimate source:

  • Spoofed caller IDs. The number on your phone might display your bank's name or a familiar contact, but it's fake. In fact, phone calls were one of the top reported contact methods for fraud in 2024.
  • Look-alike email addresses. These may differ by just one character from a real email address, making them hard to spot at a glance.
  • Fake websites. These are meticulously designed to mimic real login pages of banks or other services.
  • AI-generated voices or videos. These can sound like real customer service agents or even your friends and family. They'll often reference those real details they collected about you, like your address, a recent transaction, or a family member's name, which makes them sound incredibly convincing.

Scammers use emotional triggers like fear (“Your account is locked!”), urgency (“Act now to avoid fees!”), curiosity (a simple text that says “Hi”), or the promise of a reward (“You’ve won a prize!”) to pressure you into acting hastily. Their goal is usually to trick you into:

  • Giving up more sensitive information.
  • Sharing a one-time security code.
  • Clicking a malicious link.
  • Downloading a harmful app.
  • Handing over your debit or credit card.
  • Making a money transfer.

These actions can give criminals direct access to your accounts, your funds, or your devices.

What are some red flags to watch for?

Staying vigilant is your best defense. When it comes to AI-generated voices or videos, pay close attention to:

  • A voice that sounds robotic, flat, or strangely paced.
  • Movements in videos that seem jerky or where the lip movements don't quite match the words being spoken.
  • Requests to send or transfer money or hand over your debit card under the guise of "protecting your account" or "keeping your money safe." Your bank, a government agency, or the police will never ask you to do this.

Some additional scam prevention tips include:

  • Wait and validate: Verify all requests and offers independently before taking action.
  • Don't share personal information: Be cautious of unsolicited requests for sensitive personal and financial information such as username, passwords, PIN numbers, or one-time passcodes.
  • Don't be quick to click: Malware can be embedded in links. Don't click on unsolicited links.
  • Use strong passwords: Don't reuse passwords across sites. Use a password manager if needed.
  • Monitor accounts: Set up account alerts and two-factor authentication.

Beyond technology, Gosler believes “an informed customer is the strongest defense. Ultimately, your vigilance and awareness remain our strongest partnership in this fight since no system can guarantee complete protection.”

“Stay informed, stay skeptical,” said Gosler. “And always remember, while scammers and their technologies are constantly getting smarter, so are we, especially when we work together. By understanding their tactics, we can collectively outsmart them and protect what matters most.”

This story was produced by Wells Fargo and reviewed and distributed by Stacker.