How to Defend Against AI-Powered Phishing Attacks and Keep Sensitive Data Secure

Summary

Cybersecurity is a constant arms race, with adversaries constantly seeking out techniques to make their attacks more effective as defense strategies improve. One of the most important new trends to know about is AI-powered phishing campaigns, in which cybercriminals use artificial intelligence (AI) to craft compelling phishing emails in order to slip into your network to steal sensitive data or do other damage.
 
Phishing remains the top attack vector, implicated in a staggering 74% of cyberattacks—but as companies have improved their defenses, cybercriminals are upping their game. One key factor is increased cybersecurity awareness: 59% of organizations now conduct regular cybersecurity training, according to the Netwrix Cloud Data Security Report 2022. As a result, business users are far less likely to fall victim to basic phishing techniques, especially emails riddled with spelling mistakes or making outrageous claims about riches ready to be claimed.

To increase their success rate in the face of this increased awareness, cybercriminals are now using AI to create highly targeted and personalized attacks that are more difficult for users to identify as phishing — increasing the odds that they will click on a malicious link or open an infected attachment, enabling the adversary to gain a foothold in the corporate network.

How AI can be used to power phishing attacks

Tools designed for advanced conversational AI, such as ChatGPT, are increasingly being used for a wide range of tasks, from writing essays to developing and testing application code. Indeed, the free version of ChatGPT offers significant functionality, and the paid version offers even more powerful capabilities. Hackers can abuse such AI-based tools in several ways, including the following:

Creating malicious code
If malicious actors explicitly ask ChatGPT to provide malicious code to perform a phishing attack, it will refuse—but they can still use the tool to request useful chunks of code. Accordingly, hackers no longer need extensive programming experience to create formidable malicious campaigns; they just need a few basic hacking skills to assemble the pieces of code that the AI tool generates for them.
 
For example, they can create a malicious script that they insert into the HTTP or PHP code of a vulnerable website. When a user visits that page, the script can install malware directly on their computer or redirect them to a fake site established by hackers. Such “stealth downloads” can also occur when an email or pop-up window is displayed. Note that the user doesn’t even need to click a download button or open a malicious attachment to become infected.

Crafting targeted messages
In addition, tools like ChatGPT v.4 are now fully connected to the internet, so they can quickly provide detailed personal information about potential victims, such as their interests and the names of their relatives. Hackers have long been gleaning such information manually from social media to create more targeted phishing emails, but AI tools make the job easier than ever.
 
Today, these messages are being sent not only through email, but also through SMS texts, known as smishing campaigns.

Creating deepfakes
Finally, phishing is by no means limited to the written word. Another variant is vishing, which involves voice calls. The malicious actor pretends to be someone else, such as a bank representative or an IT support person, in order to trick victims into revealing sensitive information or even ceding control of their machine.
 
AI is now being used to make vishing campaigns more effective. It enables malicious actors to take recordings of someone’s voice and create convincing fake recordings of them saying something else entirely. For instance, a hacker can use recordings of a company executive’s talks at conferences to create a fake recording to send to an employee that instructs them to immediately transfer funds to an account controlled by the hacker.

Defending against evolving phishing attacks

The most important line of defence against all these varieties of phishing campaigns is the same as is always has been: the user. It is vital to educate business users on best cyber practices, train them to spot malicious activity and encourage to stay vigilant. In particular, train them to always question urgent calls for action and to verify the origin and legitimacy of the request via a different method of communication.
 
In addition, prompt employees to regularly remove all obsolete or unused applications and plug-ins from their devices. The more software a machine hosts, the more vulnerabilities there are that can be exploited.

But a strong defense against phishing is not entirely up to users. Behind the scenes, IT team should monitor their systems closely using tools that can analyze activity patterns, spot suspicious behavior and enable prompt response to prevent serious damage. 

Conclusion

Cybercrime has become a business. Like any other business leaders, cybercriminals seek out ways to maximize their profits as quickly as possible and with minimum effort. Therefore, the harder you make it for them to infiltrate your IT environment, the more likely it is they will decide to switch to an easier victim. Blocking AI-powered phishing campaigns is a critical part of that defense strategy. Nevertheless, you also need to have effective security measures in place to spot threats in progress and respond in time to minimize the impact to your organization.