AI Phishing: The New Frontier of Cyber Threats
- Written by: Ryan Mosher
It wasn’t too long ago that the typical phishing email was from a deposed king of a foreign country asking for a small monetary deposit and, in return, promised untold riches for the recipient.
Fortunately, those emails don’t really work anymore.
Unfortunately, phishing emails have become increasingly sophisticated, costing organizations upwards of $10 billion annually.
These phishing attacks accounted for 36% of all US data breaches in 2023, with 71% of all companies experiencing a successful phishing attack last year.
To make matters worse, a new threat has emerged with the potential to outsmart even the most vigilant employees in any organization: AI phishing.
This cyberattack leverages artificial intelligence (AI) to create persuasive phishing emails, messages, and calls, making it increasingly difficult for individuals and organizations to differentiate between legitimate and malicious communications.
The Rise of AI Phishing Attacks
Traditional phishing attempts were often riddled with grammatical errors, poor vocabulary, and unprofessional formatting. These red flags were reasonably easy to spot for even moderately cautious individuals. However, AI has enabled attackers to elevate their game significantly.
Recent reports indicate that advanced persistent threats from bad actors worldwide, particularly state-backed cybercriminals from countries like China, Iran, North Korea, and Russia, are using large language models (LLMs) to enhance their cyber operations.
These state-sponsored actors, already known for their sophisticated cyber capabilities, use AI to perform various malicious activities, from scripting tasks and intelligence gathering to creating phishing content designed to deceive and exploit.
Generative AI phishing tools, like ChatGPT, now allow attackers to craft emails with near-perfect grammar and vocabulary. These tools can even insert real-time information, like news headlines or stock prices, to further legitimize the message.
AI can also be used to personalize phishing emails, making them even more believable than one from the CEO of your company asking you to run to your nearest retail store and pick up a dozen $50 gift cards for a client meeting.
Attackers are leveraging AI to:
- Collect information about potential targets from social media profiles or past data breaches.
- Craft emails that address specific things about the recipient, including details about their work or personal interests.
- Mimic the writing style of colleagues or trusted contacts, making it easy to believe a message came from a trusted source.
Different Types of AI-Powered Phishing Attacks
AI isn’t just making traditional phishing attempts more effective. It’s also developing new and more targeted attack methods.
- General Phishing Attacks: AI can automate the creation and distribution of phishing emails, allowing attackers to target a broader range of individuals with minimal effort. The amount of time and effort a good attempt at a phishing email used to take has been significantly reduced, flooding organizations with a mountain of suspicious messaging.
- Spear Phishing: Spear phishing is a highly targeted attack that uses specific information about an individual or organization. AI takes spear phishing to a whole new level. AI can efficiently analyze an enormous amount of data to personalize spear phishing emails, making them convincing and difficult to detect.
- Vishing: AI is also being used to enhance vishing (voice phishing) attacks involving fraudulent phone calls or voicemails. In one of the most stunning examples of vishing, a finance worker in Hong Kong was tricked into paying $25 million to a criminal based on a deep fake conference call.
Defending Against AI Phishing Attacks
Organizations have to adopt a multi-faceted approach to cyber defense to combat the rising threat of AI phishing.
Here are some ways to counter AI-powered phishing attacks:
- AI-powered security solutions: These solutions use machine learning algorithms to analyze email content and sender information for signs of phishing. As this technology evolves, these solutions will likely become more efficient and affordable.
- End-user training: Security awareness training is crucial in equipping individuals with the skills to recognize and respond to phishing attempts. If your organization is not implementing phishing simulations and providing clear reporting channels to empower employees to play an active role in cybersecurity, then you are leaving yourself open to attack.
- Partner with a cybersecurity expert: It is nearly impossible for in-house IT staff to stay on top of every threat vector that pops up. Now that AI has entered the game, one of the best ways to fight back is to partner with cybersecurity experts—experts who live cyber defense every day.
Stay Alert and Fight Back Against AI Phishing
AI phishing represents a significant and growing threat, requiring concerted effort from organizations and individuals to fight against it. Don’t fall victim to an attack that can cost you money, time, and reputational damage.
As cybersecurity experts, the HBS team can help fortify your defenses, empower your employees, and stay ahead of the curve.
Contact HBS today and discover how to safeguard your organization from AI phishing.