Fraudulent mailings to steal information from the recipient are known as phishing. To do this, cybercriminals impersonate an easily recognisable sender and ask the user for private data, such as passwords or bank account access details. Most of these emails can be identified by paying attention to certain details, but artificial intelligence (AI) is making it increasingly difficult to spot the scam.
What are the risks of phishing with artificial intelligence?
Poor wording, a sense of urgency or attachments that bypass the antivirus are the most common characteristics of a fraudulent communication. But users are evolving and learning to detect phishing, so phishing is also becoming more sophisticated and refined to avoid being detected by today's obvious mistakes.
AI is used by cybercriminals to make their messages more credible so that more people fall for their scams. Their goal is to make money, and they achieve this by using both off-the-shelf AI tools and specific tools available on the dark web. Not all GPTs take privacy or even ethical conflicts into account when providing answers and generating content, so they can be used to create fraudulent emails quickly and easily.
AI-generated phishing has the characteristic of being more personalised. While traditional phishing includes generic information in the hope that it will match the recipient's information, artificial intelligence can extract much more data, for example from social networks or purchase history, and apply it to the content of the message. It is also very easy for it to replicate the corporate image both in the communication and in the landing page to which the user is sent. This makes it easier to trust the sender and do what they ask, such as filling in a form with personal details so that an account, shipment or bank card is not blocked.
AI can be used to create fake content, such as deepfake images or videos, also to pretend to be real people and mimic the way an acquaintance speaks. It is not only companies that are at risk of having their identity spoofed, but also the contacts of the recipients. On the contrary, cybercriminals can automate the generation of phishing messages, making the volume of phishing messages much higher than it was a few years ago.
It is becoming increasingly difficult to detect fraudulent emails; traditional systems are not yet fully equipped to identify their AI-generated messages because they appear legitimate. This can lead to brands seeing their own customers lose trust in them and their reputation diminish, even if it is not directly their fault. This is why measures need to be put in place to protect both users and businesses from these attacks.
How to protect against AI phishing
Users should put in place measures to protect themselves against any type of cyber-attack, including phishing created by artificial intelligence. Recommended best practices include among others:
- Pay particular attention to the email addresses of senders, including verifying their identity through another channel if in doubt.
- Avoid interactions with unknown senders, such as clicking or downloading unsolicited files.
- Always keep antivirus and firewall software updated, and they are often up to date with the latest techniques so you can also follow their news.
- Use two-step verification, password managers and security codes to make it difficult to access sensitive information.
- Heed information campaigns from your trusted brands, for example, that they will never ask for your passwords or contact you by email to ask you to verify your identity.
For their part, businesses also have some resources to protect themselves from AI phishing attacks. The main one is domain authentication with DMARC so that there is no doubt who the sender is. Remember that Google and Yahoo! have already made it mandatory to use SPF, DKIM and DMARC protocols, so it is more difficult for fraud to come from those addresses.
It is also necessary to protect mail servers with firewalls and anti-phishing filters, in addition to keeping systems up to date so that there are no security problems. For bulk mailings, it is advisable to use a professional platform certified in the National Security Scheme (ENS), and not only public administrations and their providers because they are obliged to do so, but also those seeking effective responses to possible cyber-attacks.
But no technology is sufficient if people can't recognize a deception attempt. Therefore, the best defense begins with training: investing in raising team awareness about phishing tactics significantly reduces the risk of falling into the trap. Having cybersecurity awareness training programs helps transform risk into resilience.
