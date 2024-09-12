Cybercriminals are diving into AI to craft powerful and customized social engineering schemes. Ranging from deepfakes to mass-produced AI-generated phishing emails, this novel technology has evolved into a powerful weapon in the toolkits of malicious actors everywhere.

How AI assists phishers and social engineers

There are myriad ways cybercriminals are using generative AI and related tools to uplift their social engineering schemes: Automatic content creation: Traditional email spam filters struggle to detect phishing emails created by natural language processing models because these emails are not only grammatically correct, but also contextually relevant, making them highly convincing.

AI-generated phishing emails have the same 60 percent success rate as those crafted manually.

Phishing personalization: AI tools make it too easy for anyone to collect and analyze personal information (photos, audio, workplace, job history, location, interests, associations) from social media and other online sources. Threat actors deceive victims because their phishing emails are highly personalized, making them all the more convincing. Shape-shifting phishing websites: AI can automate the creation of fake websites that mimic legitimate ones. Some AI-powered websites can even adapt in real-time by dynamically changing their appearance and behavior in order to evade detection and appear more authentic, thereby increasing the chances of users entering their credentials.

Deepfake technology: Generative AI has the power to fabricate audio and video imitations of individuals, commonly known as deepfakes (or synthetic media). These impersonations are exploited by threat actors to persuade their victims into disclosing sensitive information such as their login credentials. Scammers are also using generative AI to initiate robo calls, texts and messages, at scale.

AI malware: Phishing emails are known to contain malicious attachments. With AI, cybercriminals can design more powerful and evasive malware that alters its behavior based on the target’s profile and systems. For example, by analyzing what type of attachments a targeted victim interacts with, threat actors can design harmless-looking, weaponized documents that are preloaded with malicious code concealed inside. Use AI to deliver smarter security awareness training

Cybersecurity vendors are increasing AI adoption to improve threat detection and response capabilities. That said, technical controls are not particularly effective against user-manipulative threats like social engineering. A primary defense–human intuition-is far more powerful, and this can only be developed through continuous and sustained security awareness training (SAT) efforts.

AI can be leveraged to improve SAT programs in the following ways: Training automation: Security awareness training boosted by AI can simplify the tasks done by training administrators. Picture an AI-driven, adaptive learning scenario that can assign training modules to individuals automatically, based on their training performance and history. Following the training, AI can support reinforcement of these modules by autonomously generating quizzes, animations, and games.

Optimized phishing simulations: An AI-driven recommendation engine has the capability of acting as a personalized AI phishing assistant, automatically selecting the most appropriate phishing test for each user at specific times, such as during tax season and holiday periods. Picture being able to design customized phishing strategies for every user, utilizing simulated phishing tests that are specifically adapted to the individual’s level of security knowledge, performance, maturity, and aptitude.