Did you know that nearly 3.4 billion phishing emails are sent every day? This number is on top of the fact that Google already blocks at least 100 million phishing emails every day. Hackers are also becoming savvier than ever before, with many sending emails that appear to be from trusted organizations like Microsoft.
Phishing is, in essence, malicious marketing. In the same way that marketers use available data to target the demographics most likely to be converted by their ads, hackers also use publicly available data to target victims in the hopes that they will click links allowing access to personal data or sensitive information.
Here are the current threats to cybersecurity and how AI is reshaping the phishing landscape.
The evolving face of phishing scams
Email phishing (“classic” phishing)
Email phishing remains a widespread tactic, where scammers send mass messages hoping to ensnare a few unwary employees. These emails often appear urgent, prompting the recipient to act quickly by clicking on a malicious link or providing personal data. While their effectiveness has declined, up to 17% of recipients still fall for these scams.
Spear phishing
Spear phishing represents a more tailored approach, targeting individuals with customized emails based on personal data. In 2022, 50% of businesses fell victim to these attacks, which, despite their rarity, accounted for 66% of all corporate data breaches due to their personalized nature.
New AI-driven phishing attacks
AI voice impersonations are a new frontier in phishing, where scammers use AI to clone voices, posing as family members or authorities to manipulate victims. Similarly, AI platforms like ChatGPT have been used to create impeccably written phishing content, making traditional signs of phishing, such as poor grammar, odd sentence structure or excessive punctuation obsolete. The emergence of AI cybercrime tools such as WormGPT on underground forums has further enabled hackers and bad actors to launch sophisticated phishing and business email compromise attacks.
Who is at risk?
The risk factors for becoming a phishing target remain the same: Previous data breach victims, users of password manager services and those with an active online footprint are all prime targets. However, AI phishing brings a new level of risk with tactics like Adversary-in-the-Middle (AitM) attacks, which can bypass conventional security measures like multi-factor authentication.
Staying protected against AI phishing
To protect against these advanced threats, it’s crucial to be vigilant and informed. Here are some measures to bolster your defenses:
1. Remember that personalized attacks require personalized defense.
Basic training can only help so much, especially for users who may not be especially tech-savvy. It’s impossible to know which data will be used against a person, so the best defense is an approach tailored to an individual’s data.
2. Implement regular phishing drills.
Teaching everyone in your organization what a realistic phishing attack looks like is one of the most effective ways to prevent them from becoming victims.
Companies can either hire outside teams to create these simulations, which can be incredibly costly, or they can do basic template simulations. The most important aspect of these campaigns is to ensure they mimic the most likely threats to your organization. This means understanding what the hackers are most likely to do, such as using AI voice messages or well-written emails, and using those same tactics.
3. Minimize the “attack surface” by arming employees with knowledge.
Information from the phasing drills will give your company valuable insights into where your biggest vulnerabilities are. Leveraging this data to fill in the knowledge gaps for every individual in your organization can go a long way toward limiting the amount of success these hackers see.
Forewarned is forearmed: Know your risk to keep from getting scammed
Phishing can happen to anyone, and with the advent of AI and hybrid work environments, the risks are only increasing. This is especially true for SMEs, because they rarely have the same level of security measures that large enterprises do.
The increasing prevalence of AI is also creating a more dangerous phishing environment for companies of all sizes. A single hacker can now generate as much as 100 times more malicious content than they could previously.
Global phishing attacks have surged by over 50% in recent years, and with AI’s involvement, they are becoming more challenging to detect. Regardless of your position, from entry-level employees to CEOs, awareness and proactive measures are your best defense against the sophisticated phishing landscape of today