Phishing attacks – the fraudulent emails, test messages, phone calls or websites designed to trick individuals into downloading malware or revealing sensitive information such as financial details or login credentials - have undergone a significant transformation in recent times.
A driving force behind this is Artificial Intelligence (AI). AI serves as a double-edged sword for cyber security professionals. While it has given the defenders advanced tools to detect and respond to threats more quickly, cyber criminals have been able to harness AI's capabilities to orchestrate more complex and targeted phishing attacks, amplifying the sophistication and effectiveness of communication.
Threat actors can use large language models (a type of AI algorithm) to create very convincing messages. LLM algorithms scrape vast amounts of data from many sources across the internet, which helps threat actors remove the more obvious signs of phishing – poor grammar, spelling mistakes – and add in native speaker-like idiosyncrasies and language styles to try and fool even the most observant recipient.
Further, AI-driven automation means that threat actors are able to scale up their attacks with little additional effort. Various stages of phishing campaigns can be automated, from writing the emails to evading traditional email filters. This results in a scalability that increases the likelihood of successful user compromise, credential theft and infiltration into an organisation’s network, thereby extending the reach and potential impact of phishing attacks.
Spear-phishing attacks, which target specific individuals within an organisation, have also become more prevalent. AI-powered tools can scrape and analyse publicly available information and social media profiles, then craft tailored messages to gain familiarity and exploit trust. This again makes it challenging for traditional perimeter security measures, email filters and the targeted individuals to detect these threats.
How can we defend against these evolving threats? Kay Hargreaves, principal cyber risk consultant for Crawford Risk Consulting advises:
“In the simplest terms, cyber security professionals need to beat the threat actors at their own game, by leveraging AI-driven solutions to bolster their own defences.”
Implementing AI-powered email filters, behaviour analytics and threat intelligence platforms can aid in identifying and mitigating sophisticated phishing attempts.
But what about our people? 74% of data breaches involve the human element [Source: Verizon Data Breach Investigations Report 2023], and as Kay explains, “People can present the biggest risk to a business; we can be easily deceived, we make mistakes, we are fallible human beings. So ongoing education is critical. A single online training module done once per year is just not going to do the job.”
Of course, computer-based training can be an excellent training method, but it should be interactive and engaging, with tests at the end, results fed back to senior management and defined action plans for non-completion and/or repeated failures.
Ensuring staff maintain a heightened awareness of cyber security matters is incredibly important. Companies may consider issuing a regular newsletter which highlights trending topics in the cyber space, such as new types of phishing emails being sent out. An increased frequency of alerts around holiday periods is also a good idea, as we usually see a spike in phishing attempts at these times. Specific training for high-risk departments (e.g. finance/accounts, HR) should be in place, along with periodic phishing simulation exercises across the whole business to assess the control measures. All of these techniques will help create a continual programme of education for employees, which will fortify an organisation’s defences against the complex threats we are seeing, improving resilience.
If you would like further information or guidance on reducing the impact of phishing attacks, employee training or any other aspect of cyber risk management, please get in touch with us via email at Risk_Consulting@crawco.co.uk.
