Phishing attacks have seen an unprecedented exponential growth in the fourth quarter of 2022. According to a report by security firm SlashNext, there has been a staggering 1265% increase in malicious phishing emails, with a further 967% rise in credential […]
Phishing attacks have seen an unprecedented exponential growth in the fourth quarter of 2022. According to a report by security firm SlashNext, there has been a staggering 1265% increase in malicious phishing emails, with a further 967% rise in credential phishing.
Research based on company threat data and a survey of over 300 North American security experts has revealed that cybercriminals are now utilizing generative artificial intelligence tools like ChatGPT to craft sophisticated and targeted fraudulent messages for business email compromise (BEC) and other phishing scams.
The study found that an average of 31,000 phishing attacks were being launched daily. Almost half of the surveyed security experts reported falling victim to BEC scams, while 77% stated that they had been targeted by phishing attacks.
These findings highlight the concerns surrounding the use of generative artificial intelligence in the proliferation of phishing. Patrick Harr, the CEO of SlashNext, emphasized the impact of AI in enabling malicious actors to increase the speed and variation of their attacks by altering malicious code or creating thousands of variations of socially engineered attacks to maximize their chances of success.
The research also highlighted the rapid growth of AI-driven threats, particularly in terms of speed, volume, and sophistication, as stated by Harr. He mentioned that the launch of ChatGPT coincided with the exponential rise of malicious phishing emails, emphasizing how generative AI chatbots have provided seasoned attackers with the means to launch targeted phishing attacks on a larger scale while restricting access to less experienced criminals.
Besides the utilization of generative artificial intelligence, another key factor contributing to the surge in phishing attacks is their effectiveness. Referring to an FBI report on cybercrime, Harr noted that BEC scams alone have caused approximately $2.7 billion in losses in 2022, with other types of phishing causing losses of $52 million.
When asked about the real impact of generative artificial intelligence on criminal group activities, experts from SlashNext affirmed, based on their research, that malicious actors utilize tools like ChatGPT to create and rapidly spread sophisticated targeted email messages, including BEC attacks.
In the history of phishing attacks, spam emails were often poorly written and almost unintelligible. However, today’s phishing emails appear extremely convincing, mimicking the tone of those they seek to impersonate or resembling official correspondence from trusted sources such as government agencies and financial institutions.
Through artificial intelligence, cybercriminals analyze previously written emails and other publicly available information in order to make their messages more persuasive. For instance, a criminal may utilize AI to generate an email tailored to a specific employee, posing as their boss or supervisor and referencing a company event or relevant personal detail, thus making the email appear authentic and trustworthy.
Security experts and managers can take various steps to counter and respond to the escalating attacks, according to Chris Stefan, the Director of Research at Enterprise Management Associates. One such step is providing continuous training and education to users.
“Security experts should consistently warn users about this threat; a one-time reminder won’t suffice. They need to build upon this training and foster a security-aware culture, wherein users view security as a business priority and feel comfortable reporting suspicious emails and security incidents,” Stefan emphasizes.
Implementing email filtering tools that utilize machine learning and artificial intelligence to detect and block phishing emails is also good practice. “These solutions need to be constantly updated and aligned with ever-evolving threats and advancements in AI technology,” Stefan adds.
Organizations should also regularly test and conduct security audits on vulnerable systems. “Testing is necessary to identify vulnerabilities and weaknesses in an organization’s defense, as well as in employee training, and promptly address known issues to minimize the attack surface,” Stefan concludes.
Frequently Asked Questions (FAQ)
What is phishing?
Phishing is an internet scam that typically takes place through email messages or fake websites. Attackers pretend to be legitimate organizations in order to trick victims into divulging sensitive information, such as usernames, passwords, credit card numbers, and other personal data.
What is generative artificial intelligence?
Generative artificial intelligence is a type of AI that uses algorithms to generate new content, such as text, images, or sounds, that appears authentic. These systems are trained using vast amounts of existing data to create new resources similar to that data.
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a form of fraud in which attackers use fake email messages to impersonate employees or business partners and deceive victims into performing unauthorized transactions, such as making payments to fraudulent bank accounts. This type of fraud often involves targeted attacks on financial institutions and businesses.
How to protect against phishing attacks?
Here are some steps you can take to protect yourself against phishing attacks:
– Be cautious when opening and responding to email messages, especially if they contain suspicious links or request the disclosure of sensitive information.
– Verify the email addresses of suspicious messages to ensure they come from legitimate sources.
– Avoid clicking on suspicious-looking links in email messages. Instead, manually enter the website address into your browser.
– Regularly update and use antivirus and security software.
– Educate yourself and others on the signs of phishing and how to recognize them.
SOURCE: SlashNext (https://slashnext.com)