AI is increasingly influencing cyber attack vectors. Ankur Aeran and Nick Smith look at how this technology is shaping phishing attacks and how you can mitigate against these threats.
Contents

Financial service firms have become increasingly reliant on digital platforms to conduct business and communicate with their customers. The 2023 Cyber security breaches survey revealed that phishing remains the most common form of cyber-attack at 79%, with social engineering coming in second at 31%.

The increased use of digital platforms has created greater opportunities for cyber attackers to send malicious emails and apply phishing techniques. When phishing attacks successfully cause data breaches, victims are susceptible to having their information stolen. AI has made it easier to create convincing phishing emails and make them more believable.

Understanding phishing and AI

Phishing is an issue that requires constant oversight from firms. Organisations have had to have strong security measures to tackle the problem head on. There are three phishing techniques used to gain access to an organisation – phishing, vishing, and smishing.

Typically, phishing uses deceptive emails to impersonate trusted sources and entice victims to click on fraudulent links. Smishing is a variant that uses text messages to lure individuals. Vishing employs phone calls to impersonate legitimate organisations to obtain sensitive information.

AI has made these attempts more convincing and challenging to detect. AI can create unique content that's comparable to real life images or text, with less little human effort than ever before. Key developments in AI include:

  • Large language models, such as ChatGPT, used to construct emails that are more convincing in a business context
  • Deepfake tools to replicate human voices and make vishing attempts more convincing
  • Deepfake images provide life-like identification using tools such as Midjourney –  an attacker could create an image that supports claims around who they are, making it harder for someone receiving an email to determine its credibility

Collectively, these tools make it more difficult to know if an email is genuine. The traditional indicators of phishing emails are becoming less relevant. For example, training typically asks people to look for spelling mistakes or terminology that seems out of place. Large language tools like ChatGPT can replicate business slang and produce content that seems more convincing.

A malicious actor could even use deepfake technology, or tools like Midjourney, to create a photo of the so-called sender to boost credibility. High profile individuals could be easier to convince in these kinds of attacks, such as CEOs with significant press coverage and a range of photos available online.

While these may seem like futuristic threats, they’re already happening. For example, in 2019 deepfake software was used to convince the chief executive of a UK energy company that they were speaking to the CEO of its German parent company. The impression was so convincing that the UK chief executive wired £200,000 into a private account, as per the request of the deepfake voice. It's important to have a strong grasp over these emerging technologies and how they support phishing attempts.

FraudGPT

There are already tools available to help hackers create convincing phishing emails. FraudGPT crafts emails and messages that display correct grammar and can replicate a legitimate email. This tool collects personal information on the victim using publicly available information from across the internet. This makes it easier for attackers to mimic real-life individuals and obtain the trust of individuals.

Using AI to your advantage

AI can also effectively counter cyber-attacks to combat these threats. An in-house system could offer a machine learning function to help detect certain patterns in data that could recognise phishing websites. As the system learns, data, and metrics can help the firm assess and evaluate these phishing attempts in more detail to understand it.

The tool can detect suspicious activity and identify malicious intent. Anti phishing software can shut down the entire computer network if there's suspicious activity. You should also consider how your reporting can inform counter-phishing methods and lessons learned analysis.

Identifying phishing attempts

As cyber criminals become increasingly sophisticated in their social engineering attacks, it's necessary to remain educated. You should invest in cybersecurity training from the top down to train your team on how to identify phishing attempts, and how traditional hallmarks are changing. Spotting a phishing email is becoming more difficult, so investing in effective training measures and AI detection tools in necessary. This will require installing additional layers of security internally such as Multi-Factor Authentication (MFA). MFA reduces the likelihood of unauthorised access and mitigates the risks of obtaining sensitive data. These access measures would make it harder to access work accounts, therefore preventing phishing attempts.

Meeting best practice will require a strong understanding of phishing and how it's advancing. You should consider implementing security awareness programs and reporting mechanisms to educate your team to recognise these attempts. The rise of AI has meant that phishing attempts are becoming increasingly hard to detect. This means that attempts to counter it must be equally as strong and efficient. By building a strong knowledge of phishing, you can establish a valuable understanding of how to counter it effectively.

For more information on how to mitigate phishing risks, contact Ankur Aeran and Nick Smith.