With the continued development of AI generative technology and the wide accessibility of these new tools, a range of new methods have become available to hackers to refine their existing techniques and develop new ones.
While Phishing has existed for many years, AI technology
can now further refine and increase the effectiveness of an industry
responsible for an average of $4.76 million for impacted companies.
Traditional Phishing Attacks
Phishing emails have been an ongoing issue for businesses
and individuals for years, with a progressive rise in the number of Phishing
emails that are sent out each year.
While many Phishing emails are considered easily
identifiable, more targeted versions of Phishing exist known as Spear Phishing
and Whaling.
Unlike more large-scale generic Phishing attempts targeted at thousands of
email addresses, Spear Phishing and Whaling are focused on a small number of
individuals, often in high-profile positions within businesses.
As the emails are much more targeted, the time and effort
that is put into creating the content for the message is also greatly
increased.
This allows the message to be much more convincing,
referencing information about the business, named employees and other unique
information making the message appear convincing.
Currently, the number of targeted Phishing attempts is
much less than the large-scale generic Phishing attempts due to the time and
effort required to effectively carry out a targeted Phishing campaign.
The Effectiveness Of Phishing
There are an estimated 3.4
Billion Phishing emails that are sent out each day.
The average rate at which generic Phishing emails are
clicked on can vary but is around 17%.
More targeted versions of Phishing are considered much
more effective with an average click rate of around 50%.
Phishing is involved in around a third
of all data breaches that occur and the number of Phishing attacks which are
conducted each year is still growing.
Generative AI
Generative AI technologies have exploded in popularity in
recent years, with tools being developed to generate text, images, voice,
video, animation, music, code, and many things that would have been considered
impossible to automatically generate just a few years ago.
Its explosion in popularity has already started to
develop an entire industry based on the rapid and automated responses that AI
tools can deliver.
While many benefits come from such technologies, many
consequences come with the automated and convincing generation of text, images,
videos, and voice.
Generative AI Powered Phishing
With the use of generative AI, a growing concern is that
large-scale generic Phishing attempts will transform into more targeted and
convincing Phishing attempts, which can be more easily automated and have a
higher rate of compromise.
AI tools can help attackers write both the content of the
Phishing email and also automate the coding and development process to deliver
such unique targeted emails.
This process helps create variations in email content,
inserts individual names based on information scraped from Linkedin, and
improves the overall appearance of a genuine email.
Securing Against Phishing Attacks
While there are solutions in place that can already
filter your email inbox to reduce the amount of spam and Phishing emails you
receive, it is possible that these security filters may be bypassed with
AI-generated emails.
● AI detection tools are already
being developed to identify where text is generated. These tools can be incorporated into email
filtering solutions to remove content that is likely to be AI-generated.
● Security awareness training must
be expanded on to recognize the potential threat of targeted Phishing emails
and inform staff on how to identify and react to these types of email messages.
● It is important to be aware
that Phishing scams have evolved over the years to target emails, text
messages, social media messages, phone calls, and other methods of delivering
messages. With generative AI
technologies available for text, images, voice, and video, messages using these
formats can become increasingly convincing.
● While it is important to
prevent the compromise of devices and accounts from Phishing, how to respond to
a compromise should also be considered.
Implementing further security measures and preparing an incident
response plan to minimize the impact of a compromise should also be carried
out.
Continued Development of Phishing Attacks
As AI is a relatively new industry, there is still a
large question mark around its future and the benefits or harm that it could
bring.
However, regardless of the potential fears, AI
technologies have emerged, and their impact has already started to be felt,
through their impact on the art world, with automation replacing a number of
jobs, and through the further development of Phishing.
As Phishing is projected to continually increase over the
next few years, defending against this threat and its developments in
sophistication is a requirement for the ongoing security of businesses and
individuals.
Andrew Lugsden
Security Consultant at Forge Secure Limited
Working within the Cyber Security industry for over ten
years to provide consultancy, security testing, and compliance services.
