Quantum Computing: Attack of the Super-Librarians

Quantum computing isn’t just faster; it’s a fundamental shift in how we process and solve problems. If you’ve ever struggled to wrap your head around what makes this technology so groundbreaking, let’s break it down with a metaphor. Because who doesn’t love a good metaphor?

Traditional Computing: The Book-by-Book Hunt

Picture yourself in a massive library filled with millions of books. Your mission: find a specific quote hidden in one of them.

Here’s how a traditional computer approaches this task:

  • Pulls one book off the shelf at a time.
  • Flips through every single page.
  • Moves on to the next book if it doesn’t find the quote.

The result?

  • A slow, linear process.
  • Time-consuming and frustrating.
  • If you’re like most people, you’d probably give up and Google it—which is still just a traditional search.

Quantum Computing: The Super-Librarian Squad

Now, imagine you’ve got a squad of magical librarians. These wizards don’t play by the same rules:

  • They spread out across the library.
  • Open every single book simultaneously.
  • Hand you the exact quote in seconds, bookmarked and highlighted.

The result?

  • Instantaneous answers.
  • Efficiency on a whole new level.

This is the magic of quantum computing. Instead of relying on traditional binary bits (0s and 1s), it uses qubits, which can represent both 0 and 1 at the same time.

The Power of Superposition

Superposition is what makes quantum computing so revolutionary. Imagine a spinning coin: While it’s spinning, it’s both heads and tails. Qubits, like that coin, explore multiple possibilities simultaneously, solving problems in ways classical computers simply can’t. By working in parallel, quantum computers can perform calculations at speeds that make traditional computing look like snail mail.

Why Should You Care?

Quantum computing isn’t just about speed—it’s about unlocking the impossible. Imagine having the power to:

  • Conduct trillions of searches or calculations at the same time.
  • Solve complex problems that are currently out of reach.
  • Optimize operations faster and more efficiently than ever.

But with great power comes great responsibility. Cybercriminals are already eyeing quantum computing as a way to break encryption and exploit vulnerabilities. Businesses need to act now to stay ahead.

How to Prepare for the Quantum Era

Organizations that educate themselves on quantum computing today will have the tools to:

  • Defend against quantum-enabled cyber threats.
  • Leverage quantum technology to innovate and stay competitive.
  • Future-proof their operations in an evolving digital landscape.

Quantum computing is like your personal squad of super-librarians, ready to tackle problems and find solutions at unimaginable speeds. The question is: Will they be working for you—or against you?

Let’s talk about how to make quantum work for your team. Contact us to explore in-person and virtual options tailored to your needs!

Is That QR Code Safe? What You Need to Know About the Cyberthreat Quishing

 

In our fast-paced, tech-driven world, QR codes have become second nature. We scan them to check out restaurant menus, access Wi-Fi networks, or join virtual events. But beneath their convenience lies a potential cyber threat that’s catching many off guard: Quishing.

Quishing—short for QR code phishing—is a sneaky variant of the classic phishing scam. Picture this: you’re at a cozy café, scanning a QR code to browse the menu. It feels harmless, even mundane. But hidden within that innocent-looking grid could be a link to a malicious website, ready to steal your personal information or unleash malware onto your device.

How Quishing Works

Cybercriminals embed harmful links into QR codes and strategically place them in unsuspecting locations:

  • Public bulletin boards
  • Flyers
  • Transport hubs
  • Online ads
  • Even restaurant tables

These codes often redirect you to phishing sites that mimic legitimate websites. Once you’re there, you might unknowingly hand over sensitive information like passwords, credit card details, or even trigger malware downloads.

Spotting Suspicious QR Codes

Knowing how to recognize potential threats is key to staying safe. Watch out for these red flags:

  1. Unknown Origin: If a QR code appears in an unexpected location or looks unprofessional, think twice before scanning it.
  2. Too-Good-To-Be-True Offers: Scammers often lure victims with promises of amazing deals or exclusive gifts.
  3. Requests for Personal Information: If a scanned code leads you to a page asking for sensitive details right away, it’s a major red flag.

Protect Yourself from Quishing

A few proactive measures can go a long way in keeping you safe:

  1. Verify the Source: Only scan QR codes from trusted entities, such as well-known brands or official communications.
  2. Use Secure QR Scanners: Many modern smartphones come with built-in security features to detect malicious links. Take advantage of these tools.
  3. Close Suspicious Websites: If a scanned QR code leads to a dubious website, close it immediately. Avoid clicking on any links.
  4. Keep Software Updated: Regularly update your device’s operating system and apps to ensure they’re equipped with the latest security patches.

Real-World Quishing Scams

Quishing isn’t just theoretical—it’s happening now. Here are two notable examples:

  • Public Transport Scam: In one major city, scammers replaced QR codes on transport kiosks with their own malicious codes. Commuters who scanned them were directed to phishing sites that stole credit card information.
  • Concert Fraud: Fake posters for a popular concert included QR codes leading fans to a bogus ticketing site. Attendees paid for tickets that never arrived, losing both money and trust.

Stay One Step Ahead

In this digital age, vigilance is your best defense. If a QR code seems suspicious or makes you hesitate, trust your gut. By learning to spot the signs of quishing and practicing safe scanning habits, you can outsmart cybercriminals and keep your personal information secure.

So the next time you’re tempted to scan a QR code, ask yourself: Is it worth the risk? A little caution today can save you a world of trouble tomorrow.

PS: In addition to freely scanning any QR code that pops up, make sure you’re not committing these Bad Cybersecurity Habits:  https://sileo.com/bad-cybersecurity-habits/.

The Future of Online Security: How Passkeys Can Protect Your Loved Ones

When you cut through the technical jargon (which can sometimes feel a little intimidating or dull), cybersecurity boils down to one simple truth: it’s about safeguarding the people we care about most. That’s the heart of the advice I give to my two grown daughters—practical, no-nonsense tips to help them stay safe in an increasingly digital world. Today, I’m passing those same tips along to you so you can protect the ones you love, too.

Let’s talk about passkeys—the smarter, stronger, and safer alternative to traditional passwords. They’re designed for busy people who want top-notch security without the hassle.

Here’s everything you need to know about passkeys and why they’re a game-changer for your digital safety:

Why Use Passkeys?

While passwords have served us well, they’re no longer enough to combat today’s sophisticated online threats. Passkeys offer a major leap forward in digital security by addressing the main flaws of traditional passwords:

  1. Phishing-Proof
    Phishing attacks—where scammers trick you into entering your password on fake websites—are among the most common online threats. Passkeys eliminate this risk entirely because:
    • You don’t manually enter them.
    • Only legitimate websites can validate passkeys.

In other words, a phishing site can’t steal what you never type.

  1. Breaks Bad Habits
    Many people reuse passwords across multiple sites or choose weak, easily guessable ones. Passkeys, however, are unique to each service, so:
    • No two services share the same login credentials.
    • There’s no temptation to reuse old, insecure passwords.

This automatic uniqueness ensures your accounts stay secure, even if one service is compromised.

  1. Data-Breach-Proof
    Even if a website is hacked, the public key stored on the site is useless to attackers without your private key. And because your private key never leaves your device, it can’t be exposed in a data breach.
  2. Convenient and Safe
    Passkeys offer the best of both worlds: they’re as secure as two-factor authentication (2FA) but without the extra hassle. With a passkey, you:
    • Log in with just your fingerprint, face, or PIN.
    • No longer need to manage complex passwords or remember dozens of logins.

How to Start Using Passkeys

Setting up passkeys is easier than you think. Follow these steps to integrate them into your digital life:

  1. Set up a passkey with major retailers like Amazon
  2. Set up a passkey with all of your banks (Wells Fargo)
  3. Set up a passkey for your Microsoft & Apple accounts 

Use Your Passkey Across Devices
Switching between devices is easier than ever. Sync your passkeys using cloud services like iCloud Keychain or Google Password Manager. This ensures you always have access to your accounts, no matter where you are.

Why Passkeys Are a Smart Choice
In today’s fast-paced world, security should be simple. Passkeys make online security easier by:
• Reducing the need to remember complex passwords
• Eliminating worries about phishing and data breaches
• Minimizing the risks associated with weak or reused passwords

For me, passkeys are an easy “yes.” They offer peace of mind while keeping my loved ones safe online. That’s why I’ve already encouraged my daughters to adopt this technology—and now, I’m encouraging you to do the same.

What’s Next? Start Protecting Your Loved Ones
Cybersecurity doesn’t need to be complicated or intimidating. By switching to passkeys, you’re taking a major step toward safeguarding yourself and your family from online threats.

Whether you’re helping your kids set up their first email account, securing your partner’s online banking, or simplifying your own digital life, passkeys are the key to a safer, smarter, and more convenient future.

Ready to get started? Next time you log into a service, look for the passkey option—it might be the best decision you make for your family’s online safety.

Ps. In case you missed it, make sure you’re also aware of the One Smartphone Security Tool You Might Be Missing

One Smartphone Security Tool You Might Be Missing

You’re already aware that credit card payments are safer than debit cards and checks, right? If someone spends fraudulently on your card, you call the credit card company and POOF! they make it disappear. But if you’re ready to elevate your security game even further, it’s time to tuck away that plastic card and start paying with your smartphone. Why, you ask? Because smartphone payments work a bit like Harry Potter’s invisibility cloak, effectively masking your identity from a horcrux full of hackers. (Side note: You might need to read all seven Harry Potter books to fully appreciate this metaphor.)

Let’s dive into the magical world of mobile payments, starting with Apple Pay for the iPhone users frequenting places like Honeydukes to grab some Pixie Puffs.

Setting Up Apple Pay on Your iPhone (Full Apple Instructions Here):

  1. Open Wallet App: On your iPhone, open the Wallet app. If you don’t have it on your home screen, you can find it by swiping down and using the search feature.
  2. Add a Card: Tap the plus sign to add a new card. You can either scan your credit card with the camera or enter the details manually.
  3. Verify Your Card: Depending on your bank, you might need to verify your card via a text message, email, or a call to your bank.
  4. Secure It: Once added, your card is secured with Face ID, Touch ID, or a passcode. Unlike a physical credit card, this digital lock must be unlocked to access and use your card.
  5. Ready to Pay: At the register, double-click the home button or side button to bring up your Wallet, authenticate, and then hold your phone near the payment terminal.

When you tap to pay at Honeydukes, Apple Pay doesn’t just send your actual credit card number across the ether. Instead, it conjures up an encrypted virtual account number that cloaks your real one, keeping your private payment details hidden from the prying eyes of dark wizards—aka hackers. Plus, your information is never transmitted or stored on the retailer’s servers, fortifying your defenses against breaches.

Like its Apple counterpart, Google Pay also provides an excellent defense against the dark arts of the digital world. Before approving the payment, your bank or card issuer verifies the dynamic security code—unique to your device—to make sure it’s you who’s casting the spending spell.

Setting Up Google Pay on Android Phones (Full Google Instructions Here):

  1. Download Google Pay: Ensure that Google Pay is installed on your Android device. You can download it from the Google Play Store if it’s not already installed.
  2. Open Google Pay & Add a Card: Launch Google Pay and tap on “Payment” at the bottom, then tap the “+” sign to add a credit or debit card.
  3. Verify Your Card: As with Apple Pay, you may need to verify your card through your bank with an SMS, email, or phone call.
  4. Secure Your App: Set up a screen lock if you haven’t already. Google Pay requires this as an extra layer of security.
  5. Make a Payment: Wake up your phone and hold it near the payment terminal until you see a check mark indicating that your payment was successful.

Setting up digital payments might feel like preparing for a trip to Diagon Alley, but it’s worth it. Paying with your phone is not just fast and secure—it’s also, let’s face it, pretty darn magical. Whether you’re wielding an iPhone or an Android, your smartphone is now the most enchanted item in your pocket, shielding you from the dark forces lurking in the shadows of digital transactions.

Does your organization need to up-level your Smartphone and overall online security? Reach out to explore in-person or virtual keynotes that are fun, informative and necessary in our digital world where things change in the blink of an eye. 

Did You Hire a Hacker? The Latest Cyberattack Starts Inside Your Organization

If you’re as chronologically mature as I am, you already know the take-your-breath-away punchline to the 1979 horror film “When a Stranger Calls”. For cinephile newbies, let me set the scene.

This cult thriller follows Jill Johnson, a young woman being terrorized by a psychopathic killer… while BABYSITTING. The stalker’s torture of choice is to ring Jill repeatedly on a phone, that still had a cord, and whisper odd things “Have you checked the children.” I don’t even have children, and that scares the babysitters out of me. Oh, I do have children. Clearly, mom and dad didn’t prep her for this date-night disaster.

After a mind-numbing series of creeper calls and ominous music, Jill wisely barricades herself inside the Mendrokus home with a series of locks, deadbolts and sliding security chains reminiscent of your favorite Howard Johnson. She dims the lights, pulls the drapes and calls the police to have them track the source of the call. She is one aware au pair!

Fast forward to the final phone call of that fateful night, which happens to be from the policeman who’s been tracing the killer’s calls. The call is coming from inside the house. Mr. 1970s psycho-killer (qu’est-ce que c’est) is already in the house, and Jill and the tater tots are just, shall we say, DYING to get out. For you chronological newborns, the more recent thriller Scream paid homage to this cult favorite, as did Rick and Morty.

And you ask, what, pray tell, does this have to do with the latest and greatest cyber threats that seek to separate me from my profits and reputation? I’ll tell you, but in my serious voice.

The coming attraction in the world of cyber horror happens to be hackers and corporate spies gaining INSIDER access to the confidential systems of unprepared organizations. Insider theft is the hacker’s way of adapting to the technological barricades we have put in front of our critical data. If they can’t get around it, they find a way to get invited in to babysit. In other words, when it comes to ransomware attacks and hacking, deepfakes and intellectual espionage, the call is coming from inside your house.

Here’s how the inside job often works. Most businesses are STARVED for cybersecurity staff, because we have a worldwide shortage of qualified candidates. Hackers funded by rogue nations seek to fill that void. Due to the remote nature of cyber work, the ease of masking one’s worldly whereabouts, and a skillset honed while hacking US businesses, it’s easy for North Korean, Chinese, and Russian hackers to get legitimate jobs INSIDE US businesses. And once they’re in a trusted position, they have unfettered access to all your data, because you willingly gave them the keys to the house when you hired them to babysit your security.

Those of you who’ve been in one of my keynotes know that I use blockbuster movies and the formula they follow as a framework for how to repel the latest cyberattacks. Which means that you already know the answer to the quiz: your HEROES, your people, are the ONLY thing standing between you and successful insider theft.

The solution, of course, is to effectively train your people to pause and verify before they hand over the keys. And by effectively, I mean that you must make security awareness training entertaining and relatable so that they remember what you taught them after the movie is over. You need to let them know how artificial intelligence has raised the Hacker’s game and how to combat it and you need to make it personal. And that’s my specialty. I hope you’ll ring me for a keynote to update your organization on the latest threats so that you don’t become the next Blockbuster horror flick. I’ll deliver a keynote presentation your people won’t forget.

John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

A.I. Deepfake Posing as the CFO Scams $25 Million: How to Protect Your Organization from the Exploding Deepfake AI Cyber Scam

Deepfakes use Artificial Intelligence (A.I) to create fake, hyper-realistic audio and video that is generally used to manipulate the viewer’s perception of reality. In most deepfakes, the legitimate person’s face or body has been digitally altered to appear to be someone else’s. Well known deepfakes have been created using movie stars and even poorly produced videos of world leaders.

Removing the malicious part of the definition, deepfakes have been used in the film industry for quite some time to de-age actors (think Luke Skywalker in The Mandalorian) or resurrect deceased actors for roles or voiceovers (think Carey Fisher in Rogue One – okay, can you tell I’m a Star Wars geek?). Cybercriminals have latched on to the technology, using AI-generated deepfakes in conjunction with business email compromise (also known as whaling and CEO fraud) to scam organizations out of massive amounts of money.

Just recently, a finance worker at an international firm was tricked into wrongly paying out $25 million to cybercriminals using deepfake technology to pose as the company’s Chief Financial Officer during a video conference. And it wasn’t just one deepfake! The fraudsters generated deepfakes of several other members of the staff, removing any red flags that it wasn’t a legitimate virtual meeting. As a subordinate, would you refuse a request from your boss that is made face-to-face (albeit virtually)? You might be savvy enough, but most employees aren’t willing to risk upsetting their boss.

The days of just sending suspicious emails to spam is no longer adequate. Our Spidey Sense (the B.S. Reflex I talk about in my keynotes) must be attuned to more than business email and phone compromise. We have entered the age of Business Communication Compromise, which encompasses email, video conferences, phone calls, FaceTime, texts, Slack, WhatsApp, Instagram, Snap and all other forms of communication. It takes a rewiring of the brain; TO NOT BELIEVE WHAT YOU SEE. AI is so effective and believable that workers may even feel like they are being silly or paranoid for questioning a video’s validity. But I’m sure as the employee who lost their organization $25M can attest, it’s way less expensive to be safe than sorry.

The solution to not falling prey to deepfake scams is similar to the tools used to detect and deter any type of social engineering or human manipulation. Empowering your employees, executives and customers with a sophisticated but simple reflex is the most powerful way to avoid huge losses to fraud. When you build such a fraud reflex, people will be less likely to ignore their gut feeling when something is “off.” And that moment of pause, that willingness to verify before sharing information or sending money, is like gold. These are the skills that I emphasize and flesh out in my newly-crafted keynote speech, Savvy Cybersecurity in a World of Weaponized A.I.

Get in touch if you’d like to learn more about how I will customize a keynote for your organization to prepare your people for the whole new world of AI cybercrime. Contact Us or call 303.777.3221.

John Sileo Lost Nearly Everything to Cybercrime

John’s Story of Loss Inspires Organizations to Take Action

John Sileo lost his multi-million-dollar startup, his wealth, and two years of his life to cybercrime. It began when a hacker electronically embezzled from the company’s clients using John’s identity. John was initially held legally and financially responsible for the felonies committed. The losses not only destroyed his company and decimated his finances, but consumed two years of young fatherhood as he fought to stay out of jail.

But John’s story has a happy ending and has become a worldwide catalyst for change. Since being found innocent of all crimes (and the real hacker put in jail), John has made it his life’s work to share hard-earned wisdom as a cybersecurity expert, award-winning author, 60 Minutes guest, and keynote speaker. His happy clients range from the Pentagon to Amazon, small associations to enterprise organizations. His mission is to keep others from becoming the next disastrous data breach headline. John specializes in the human elements of cybersecurity and uses disarming humor, audience interaction, and cutting-edge research to keep his training relevant and entertaining.

John is President & CEO of The Sileo Group, a Colorado-based technology think tank, and serves on a variety of boards. He graduated with honors from Harvard University and was recently inducted into the National Speakers Hall of Fame. John finds his greatest joy in spending time with the loves of his life: his wife, two daughters, and mini golden doodle. And yes, life’s bumps have shaped him into a slightly over-protective but well-intentioned helicopter dad.

Cybersecurity Keynote Speaker John Sileo Video

Fear alone is not enough to engage your audience to make changes to their personal and professional cybersecurity posture. In my presentations, I like to use a healthy dose of humor, audience interaction, wow moments (like a live smartphone hack), my own personal story of losing everything to cybercrime and any means to make this crime personal to the audience. Call and talk to me about how I will customize for your industry and audience. 303.777.3222

How Hackers Use A.I. to Make Fools of Us (& Foil Security Awareness Training)

In a bit of cybercrime jujitsu, A.I.-enabled hackers are using our past security awareness training to make us look silly. Remember the good old days when you could easily spot a phishing scam by its laughable grammar, questionable spelling and odd word choice? 

“Kind Sir, we a peel to your better nurture for uhsistance in accepting $1M dollhairs.” 

Or how about fear-based emails with an utter lack of context from a Gmail account linking to suspicious “at-first-glance-it-looks-real” URLs: 

“Your recent paycheck was rejected by your bank! Please click on definitely-not-a-scam.com [disguised as your employer] and give us the entirety of your sensitive financial information”  

Well, those tools no longer work.

Here’s the deal: Hackers use A.I. or more specifically Gen A.I. (Generative Artificial Intelligence) to turn outdated phishing detection tools on their heads by empowering them to tailor perfectly crafted, error free, emotionally convincing emails that appear to come from a trusted source and reference actual events in your life. Giving A.I. to cybercriminals is like handing your five-year-old a smartphone – they’re better at it than you will ever be. 

A.I. augmented phishing emails are designed to trigger your trust hormone (oxytocin, not to be confused with Oxycontin) by systematically eliminating all of the red flags you learned during your organization’s cybersecurity awareness training. So, when an employee receives a well-crafted, error free email from a friend that references recent personal events, past cybersecurity awareness training actually encourages them to click on it.

To make matters worse, if the hacker happens to have access to breached databases about you, like emails compromised during a Microsoft 365 attack, they become the Frank Abagnale of phishing (the world’s most famous impersonator, if you don’t know who he is). Criminals can easily dump breached data into a Large Language Model (LLM) and then ask A.I. to compose a phishing campaign based on your past five emails

A.I. software allows even novice cybercriminals to scrape your relationships, life events and location from social media, combine it with personally identifying information purchased on the dark web, and serve it up to your email or text as if it originated from someone you trust. It’s like having your own personal stalker, but it’s a cyborg that understands your love of blueberry cruffins and ornamental garden gnomes. (Ok, maybe those are my loves, not yours.).  

The reality is that hackers are no longer crafting the emails one by one; it’s artificially intelligent software doing millions of times per day what nation-state hackers used to spend months doing to prepare spear-phishing campaigns. And it means that phishing and business email compromise campaigns will eventually appear in your inbox as often as spam. And that threatens your bottom line. 

Let’s get serious for a hot minute. For those of you who have attended one of my cybersecurity keynotes, here is a comprehensive and organized approach to the steps your organization should begin taking as outlined by the Blockbuster Cyber Framework:

  1. HEROES (Your people): Immediately retrain your people to properly identify, verify and distinguish harmful phishing and social engineering schemes from legitimate communication. This requires new thinking applied to old reflexes. 
  2. STAKES (What you have to lose): Identify which data is the most sensitive, profitable, and targeted by ENEMIES, and prioritize its defense. You can’t protect everything, so protect the right things first. 
  3. SETTING (Your technology): 1. Implement defensive software tools like A.I.-enhanced spam filtration that helps detect phishing emails. Generative A.I. is brilliant at detecting patterns, and that will make identifying even the most well-crafted phishing campaigns somewhat easier. 2. Properly segment and segregate your network so that access to one area of your data doesn’t expose others.
  4. GUIDES (Experts in the field): Hire an external security assessment team (not your I.T. provider) to evaluate your technological and human defenses and known vulnerabilities. Internal teams have less incentive to  discover their own mistakes. 
  5. PLAN (Pre-attack and post-attack next steps): Develop a prevention roadmap before the ATTACK and an Incident Response Plan that lets you know exactly who to call and how to respond when a successful phishing attack occurs (because it will). Preparation is the greatest form of mitigation. 
  6. VICTORY (When you don’t end up on the front page): When nothing bad happens, reward your people. Throw a party for your team, because nothing says “thank you for not clicking on that profit-destroying scam” like a rowdy office shindig. Incentivizing good behavior is just as critical to your culture of security as retraining after someone mistakenly clicks on a phishing email. 

Cybercrime is constantly changing and now A.I. enables every attack type to scale. Make sure your cyber defenses and people don’t end up being the fool. 

John Sileo is a cybersecurity author, expert and keynote speaker fascinated by how A.I. accelerates everything, including crime. His clients range from the Pentagon to Amazon, small businesses to large associations. John has been featured on 60 Minutes, Fox & Friends and even cooking meatballs with Rachel Ray. His latest keynote speech is Savvy Cybersecurity in a World of Weaponized A.I. Contact Us or call for details: 303.777.3221.