Over the past decades, phishing has become a growing security concern. Thus, the protection of companies against AI phishing is no longer a recommendation but a necessity.
According to Gartner’s survey, AI-based cyber threats are among the top emerging risks. AI-enhanced malicious attacks and AI-assisted misinformation campaigns came in first and second among a whopping 286 senior enterprise risk executives surveyed by the market research firm. More so, AI-enhanced attacks were discovered to be the top emerging risk for enterprises in the third quarter of 2024, raising global concerns.
While there is an ongoing struggle to discover AI and cyber security talents to control this evolving risk, business owners should keep in mind that there are a handful of solutions they could leverage to minimize such risks.
Zeus Kerravla, principal analyst at ZK Research said “Protecting against AI-based cyberattacks requires using AI itself. It’s a fight fire with fire sort of a thing,”
To mitigate sophisticated AI phishing attacks, cybersecurity practitioners and company employees must understand how cyber criminals are using the technology, and then embrace AI and machine learning for defensive purposes.
Gone are the days when scammers used mediocre methods to send phishing emails that contained typos, grammar errors, spoof domains, and so on. Now, the rules have changed, and phishing email attacks have a sophisticated toolset.
What is an AI phishing attack?
AI phishing attacks leverage artificial intelligence to make phishing emails more personalized and realistically convincing. The level of personalization increases the success rates of people falling victim because personalization blinds the target from seeing the red flags. And that’s why ‘bad actors’ use AI algorithms to analyze a vast amount of information on their target such as social media profiles, online activities for instance (where they shop, what they search and other personalized activities). Hence, making it difficult for the target to differentiate between a fake and a real email or site.
AI-Based and Phishing Trends Companies Need to Pay Attention to.
Artificial intelligence AI and Large language models LLMs are the latest Sophisticated toolsets adopted by attackers. The following are attack methods enterprises need to pay closer attention to have a glimpse of how cyber attackers are making phishing attacks more difficult to detect and prevent.
Quishing:
Quishing or QR phishing is a cybersecurity threat that involves the use of Quick Response QR codes to redirect targets to malicious websites or pages. Whenever the target scans a QR code, he or she is redirected to a malicious login page that looks exactly like the original company login page. This page prompts the victim to enter private information such as login information, financial details and so on. Once the attackers capture this information, they can seamlessly exploit it for diverse malicious purposes.
Thus, company executives should educate their employees to understand that phishers could now attack efficiently in this cooperative form.
The use of QR codes to deliver malicious payloads is no longer a myth. As a matter of fact, In the fourth quarter of 2023, according to this post, top executives in the C-suite saw 42 times more phishing attacks using QR codes compared to an average employee.
Note: Attackers exploit the fact that most email security systems fail to scan embedded QR codes, allowing them to bypass traditional email filters.
2-Step Phishing:
2-step phishing is another form of phishing campaign that has increasingly become prevalent. While this type of phishing helps attackers avoid detection by embedding the malicious payload within a seemingly authentic service; it’s very important that company owners don’t underestimate its prowess of infiltration.
With thousands of legitimate websites and emails being compromised by threat actors, you mustn’t sweep this kind of phishing under the carpet, because here actual emails and websites are being used by threat actors to carry out their malicious intent.
For instance, a user (target) might receive an email from a source (that has been compromised) claiming their password has expired and prompting them to click a link to reset it. This link redirects to a legitimate-looking site that hosts a hidden malicious link.
Note: Everyone working in a company needs to be aware of this kind of phishing attack. It appears too real and if proper incident response actions aren’t taken, the company or target could be irredeemably ruined.
Smishing:
This is another form of phishing attack that tricks people into sharing their private information. While this form of attack is executed through text, it’s important to know that the use of sophisticated AI-powered tools helps in crafting more convincing smishing scams.
Smishers pose as someone you know well or authorized(for example tech support staff, management and so on) to trick you into divulging sensitive information. Upon receiving your data, they’ll either abuse it or sell it to someone more interested in ruining you.
Note: Smishers will create a comfortable atmosphere that will make you so relax to not suspect a thing till you divulge your private data to them.
Browser in the Browser (BitB phishing attack):
Cyber Attackers continuously create new techniques to lure or trick users into divulging sensitive data. And the BitB method isn’t left out.
This technique involves attackers creating a convincing fake browser window within the real browser, using HTML and its likes to mimic original sites. For example, an attacker could create a fake Netflix login page in a pop-up window that appears genuine, but it’s a fraudulent domain. This method can deceive users into entering their credentials, believing they are on a secure site.
One of the real-life examples of BitB is the event that took place in March 2022. Where a Ghostwriter – a Belarusian threat actor leverages BitB, combining it with APT’s (advanced persistent threats phishing technique) to host credentials phishing campaigns on compromised legitimate sites.
File Archives in the Browser Phishing
Do you know that ever since Google began offering the ability to register ZIP TLD domains such as FkZycomputer.zip for hosting websites or email addresses, there has been a long debate over whether this could pose a cybersecurity risk to innocent users?
Well, the overblown fear here is that attackers will abuse “.ZIP” domains. They will trick users into thinking they are opening a file directly in their browser. For instance, users (freelancers expecting a pay) might click on links like setupinvoice.zip or “invoice pdf,” not knowing that he or she is downloading a malicious executable file that is disguised as a legitimate document. Consequently, opening a gateway for attacks
Note: This method bypasses many security filters because there are no obvious indicators like download buttons or clickable prompts.
Telephone Scams
Phone scams are not a new thing. It’s been a thing long before the Internet took a new form. But now, Artificial intelligence has made it more convincing to a wide range of victims than ever. It’s a new form of AI phishing scam.
Many online criminals leverage generative AI to fabricate a more convincing-sounding call. AI voice cloning has made it difficult for victims to decipher a fake call.
Phone scams are taking a new direction. Deepfake technology is making it possible to create fake audio files or even videos that impersonate a real person’s voice and appearance. A good example of this kind of phishing is the widely publicized case of a large firm CFO approving $25mil that was broken down into 15 transactions after a Vidcom meeting. Only to reach out to the head of cooperation after a week and discover that the other participants on the call were fabricated using deepfake video.
Safety measures businesses can leverage to mitigate the increasingly sophisticated AI phishing attacks:
End-user education and awareness: if you’re a company owner, prioritizing cybersecurity awareness training should be one of your top to-do. The training teaching should immensely cover the traditional and current phishing techniques used by attackers. While this training aims to educate your workers and yourself on how to identify phishing baits to avoid, your company stands to enjoy the following benefits:
- It minimizes the risk of the incident and controls financial loss to attackers.
- It creates a culture of cybersecurity consciousness and awareness within your company.
- It prevents future data losses and damages
- It controls human error that opens the gate to attackers.
Due diligence check on warning signs: While there is no specific sign to guarantee lookout for phishing attacks, especially in this AI age, it’s wise to check for basic phishing scams errors such as typos, incorrect email addresses and other mistakes, as well as suspicious emails that create a sense of urgency or that could be from an impersonator.
A strict policy that instructs “Don’t download or click or reply and open any attachments you’ve not completely scrutinized”:** Company C-suites and other employees should know this as they know their names. With the current AI phishing persuasion prowess, you might end up yielding to the trick urging you to click the bait link.
Stay informed on the latest cybersecurity news: AI has come to stay and it’ll continue to evolve and cyber attacks will continue to change over time.
Hence, it’s very pertinent to stay informed about the most recent cybersecurity occurrences and events. It’s wise to subscribe to great Cybersecurity publications that cover legit daily events on the latest data breaches, scamming trends and even emerging cyber threats. Here are some that could help you to stay in the know: Dark Reading, SecurityWeek, Keeper Security Blog, Tripwire, informationsecuritymagazine, and a lot more.
Don’t share data and other passwords: Don’t be quick to share information just because you got an email urging you to do so. Always question any message that asks for your personal, business or financial data.
Use email security and antiphishing tools. There are still reliable email security gateways like Trustifi email security and a lot more, email filters, antivirus and web browser tools and extensions that can catch or help you detect many — but not all — phishing attempts. Use a layered security strategy.
The company should create a safe word or a code for identification for their C-suites and other employees:
Considering the high level of convincing tools AI is creating, it’s wise for a company to have a safe word or code only known among the employees and C-suites. It will create room to verify a suspicious person’s identity. For example, if someone calls (whether vidcom or audio) a member of a company and claims to be someone you know; one express way to verify if it’s a deepfake or not is to ask the caller for your safe word. If the caller gets the word wrong, you know the call is part of a phishing attack.
Note: Companies should create their safe words or code on something not connected to cybercriminals AI or Tech. This will make it difficult for the attacker to be any close while guessing or researching about you or your co-employees.
Could AI improve phishing prevention and detection?
GenAI could significantly reduce overall cyber risks. While this technology isn’t designed for attacks only, it can make security awareness training more customized, efficient and effective. One of the features of AI is its algorithm to adapt to a paradigm automatically – it could be an attack format, training curriculum or even a phishing simulations format attacks set in place to track a target’s daily activities and attack their weakness. However, companies could use AI’s algorithm features to gather real-time performance data about a cyber attacker technique to avoid and control future phishing attacks.
Note: Generative Artificial Intelligence is a revolutionary technology. It can identify a company’s vulnerability and the form of attacks it is most likely to experience and then automatically train security defence tools accordingly.
