In a bit of cybercrime jujitsu, A.I.-enabled hackers are using our past security awareness training to make us look silly. Remember the good old days when you could easily spot a phishing scam by its laughable grammar, questionable spelling and odd word choice?
“Kind Sir, we a peel to your better nurture for uhsistance in accepting $1M dollhairs.”
Or how about fear-based emails with an utter lack of context from a Gmail account linking to suspicious “at-first-glance-it-looks-real” URLs:
“Your recent paycheck was rejected by your bank! Please click on definitely-not-a-scam.com [disguised as your employer] and give us the entirety of your sensitive financial information”
Well, those tools no longer work.
Here’s the deal: Hackers use A.I. or more specifically Gen A.I. (Generative Artificial Intelligence) to turn outdated phishing detection tools on their heads by empowering them to tailor perfectly crafted, error free, emotionally convincing emails that appear to come from a trusted source and reference actual events in your life. Giving A.I. to cybercriminals is like handing your five-year-old a smartphone – they’re better at it than you will ever be.
A.I. augmented phishing emails are designed to trigger your trust hormone (oxytocin, not to be confused with Oxycontin) by systematically eliminating all of the red flags you learned during your organization’s cybersecurity awareness training. So, when an employee receives a well-crafted, error free email from a friend that references recent personal events, past cybersecurity awareness training actually encourages them to click on it.
To make matters worse, if the hacker happens to have access to breached databases about you, like emails compromised during a Microsoft 365 attack, they become the Frank Abagnale of phishing (the world’s most famous impersonator, if you don’t know who he is). Criminals can easily dump breached data into a Large Language Model (LLM) and then ask A.I. to compose a phishing campaign based on your past five emails.
A.I. software allows even novice cybercriminals to scrape your relationships, life events and location from social media, combine it with personally identifying information purchased on the dark web, and serve it up to your email or text as if it originated from someone you trust. It’s like having your own personal stalker, but it’s a cyborg that understands your love of blueberry cruffins and ornamental garden gnomes. (Ok, maybe those are my loves, not yours.).
The reality is that hackers are no longer crafting the emails one by one; it’s artificially intelligent software doing millions of times per day what nation-state hackers used to spend months doing to prepare spear-phishing campaigns. And it means that phishing and business email compromise campaigns will eventually appear in your inbox as often as spam. And that threatens your bottom line.
Let’s get serious for a hot minute. For those of you who have attended one of my cybersecurity keynotes, here is a comprehensive and organized approach to the steps your organization should begin taking as outlined by the Blockbuster Cyber Framework:
- HEROES (Your people): Immediately retrain your people to properly identify, verify and distinguish harmful phishing and social engineering schemes from legitimate communication. This requires new thinking applied to old reflexes.
- STAKES (What you have to lose): Identify which data is the most sensitive, profitable, and targeted by ENEMIES, and prioritize its defense. You can’t protect everything, so protect the right things first.
- SETTING (Your technology): 1. Implement defensive software tools like A.I.-enhanced spam filtration that helps detect phishing emails. Generative A.I. is brilliant at detecting patterns, and that will make identifying even the most well-crafted phishing campaigns somewhat easier. 2. Properly segment and segregate your network so that access to one area of your data doesn’t expose others.
- GUIDES (Experts in the field): Hire an external security assessment team (not your I.T. provider) to evaluate your technological and human defenses and known vulnerabilities. Internal teams have less incentive to discover their own mistakes.
- PLAN (Pre-attack and post-attack next steps): Develop a prevention roadmap before the ATTACK and an Incident Response Plan that lets you know exactly who to call and how to respond when a successful phishing attack occurs (because it will). Preparation is the greatest form of mitigation.
- VICTORY (When you don’t end up on the front page): When nothing bad happens, reward your people. Throw a party for your team, because nothing says “thank you for not clicking on that profit-destroying scam” like a rowdy office shindig. Incentivizing good behavior is just as critical to your culture of security as retraining after someone mistakenly clicks on a phishing email.
Cybercrime is constantly changing and now A.I. enables every attack type to scale. Make sure your cyber defenses and people don’t end up being the fool.
John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.