Kaspersky flags scam abusing OpenAI team invitation feature
Cybersecurity firm Kaspersky has identified a scam campaign exploiting OpenAI’s organisation creation and team invitation features to distribute spam and fraud emails from legitimate OpenAI email addresses.
Source: Unsplash
According to Kaspersky, attackers are registering OpenAI accounts and abusing the organisation name field, which allows free text input. Scammers embed misleading messages, links or phone numbers directly into the organisation name itself.
Once the organisation is created, attackers use OpenAI’s “invite your team” function to send invitations to targeted email addresses. These messages are sent from official OpenAI email addresses, making them appear technically legitimate and increasing the likelihood that recipients will trust the content.
How the scam works
Kaspersky detected several scam formats distributed through this method. These include emails promoting fraudulent services, such as adult content, as well as vishing attempts that falsely claim a subscription has been renewed for a large amount.
In the vishing scenarios, recipients are instructed to call a phone number to cancel the alleged charge. This interaction can lead to further social engineering attempts or financial loss.
The scam content is visually inconsistent with the standard OpenAI invitation template. The misleading text, typically displayed in bold, stands out structurally from the rest of the email, which is designed for inviting collaborators to a project. Attackers rely on users overlooking these inconsistencies.
Abuse of trusted platforms
“This case highlights a vulnerability in how platform features can be weaponised for social engineering email attacks,” says Anna Lazaricheva, senior spam analyst at Kaspersky.
“By embedding deceptive elements in seemingly innocuous fields like organisation names, scammers attempt to bypass traditional email filters and exploit user trust in reputable services. We urge users to carefully verify invitations and avoid clicking embedded links without scrutiny.”
Lazaricheva also cautioned organisations operating digital platforms to assess how their features could potentially be abused by threat actors.