How Businesses Can Protect Themselves From Invoice Scams, Data Leaks And More

From the democratization of artificial intelligence (AI) to large-scale data leaks, there was no shortage of news in the worlds of technology and cybersecurity throughout the first quarter of 2023. Read on for Trend Micro’s summary and to learn what businesses can do to protect themselves and their employees.

The artificial intelligence chatbot, ChatGPT, was released in November 2022, and its popularity exploded throughout the previous quarter. Businesses worldwide, from budding startups to established enterprises, have been looking for ways to utilize the technology to improve productivity. However, using ChatGPT doesn’t come without its privacy and security concerns.

Because ChatGPT retains the information that is shared with it ( to improve the service further and make it smarter), it means that any information—sensitive or otherwise—input into ChatGPT could potentially be shared by the chatbot with anyone at a later date. Everyone must understand this potential data security pitfall, businesses and individuals alike.

It was recently reported that Samsung warned its employees about the dangers of potentially leaking confidential information via ChatGPT after some of its engineers shared source code, internal meeting notes, and data relating to their hardware with the AI-powered service.

Additionally, businesses looking to use ChatGPT need to be aware of the dangerous copycat ChatGPT websites that are out there. Such websites are capable of secretly installing information-stealing malicious software onto devices.

ChatGPT can be accessed safely from the legitimate ChatGPT/OpenAI website:www.openai.com/blog/chatgpt

Furthermore, it should be noted that although searches for “ChatGPT” on both Apple’s App Store and Google’s Play Store return large lists of ChatGPT-related apps, currently, there is no official ChatGPT app for iOS or Android.

In February, Trend Micro’s anti-scam technology detected a rise in PayPal-based invoice scams. Small business owners and their employees must be aware of these scams because the fake invoices are often for large amounts of money and are from a legitimate PayPal email address; they’re exceptionally deceptive. Here’s what they may look like:

The two examples above are fake PayPal invoices for Ravoltek LLC and Coinbase. However, scammers can impersonate any company when they send out fake PayPal invoices—potentially even one that your company regularly does business with.

The scammers are hoping people are alarmed by the invoices and call the included phone numbers (redacted from the images above). Once the scammer has a victim on the phone, they will do their best to trick them into sharing personal and financial information, such as their name, address, and credit/debit card information.

Fortunately, although these fake PayPal invoices are cunning, there is one telltale sign that they’re bogus: the impersonal greeting (such as “Hello, PayPal Client” in Example 1). As PayPal clarifies on its website, it will never send you an email with a generic greeting. Emails from PayPal will always address you by your first and last name or, in the case of business accounts, the business name. 

Back in January, Twitter suffered a huge data leak, in which over 200 million of its users’ email addresses were disseminated onto an underground hacker forum. The leak came about due to a now-fixed vulnerability in Twitter’s API (application programming interface) that enabled the hackers to scrape the data, before packaging it into a 59 GB file and leaking it online. At the time, noted security expert, Alon Gal, stated, “This is one of the most significant leaks I’ve seen … [It] will unfortunately lead to a lot of hacking, targeted phishing, and doxxing.”

Although only email addresses were leaked, data leaks such as this highlight the need for good digital hygiene, including the use of strong, tough-to-guess passwords and multi-factor authentication (MFA).

To protect a business’s data and security, all its employees should be required to use passwords of a minimum length of 8-10 characters made up of a mix of upper and lowercase letters, numbers, and symbols. Additionally, passwords should be required to be changed regularly (once every three months, for example).

Also, the use of multi-factor authentication should be mandatory on all company accounts because it adds an extra layer of defense, making a hacker’s job tremendously harder.

To learn how to create strong, yet memorable passwords and for more information about multi-factor authentication, click here.

This year has been a strong reminder that businesses and individuals must remain vigilant when it comes to cyber threats. It is crucial to be aware of the data security concerns surrounding new technology, the danger of online scams, and to take steps to ensure good digital hygiene habits are practiced.

If you’ve found this article interesting and/or helpful, be sure to check back after Q2 for another quarterly cybersecurity update from Trend Micro.