AI Phishing Evolution: Staying Ahead of Sophisticated Scams

In the ever-evolving landscape of cyber threats, phishing attacks have undergone a significant transformation, particularly with the rise in the use of generative artificial intelligence. This evolution marks a new era in cybersecurity challenges, as highlighted in the recent eBook, Balancing Security and Innovation in the Age of AI, which focuses on the intricate dance between AI advancements and cybersecurity measures. Understanding these changes is crucial for businesses aiming to stay ahead in safeguarding their digital assets.

AI phishing represents an evolution from traditional phishing techniques, utilizing machine learning and AI algorithms to craft more convincing, targeted, and ultimately successful attacks. Unlike standard phishing, which often relies on mass, generic communication, AI phishing tailors its approach to individual recipients, making detection considerably more challenging. The sophistication of these attacks lies in their ability to mimic genuine communications convincingly, leveraging vast amounts of data to personalize each phishing attempt, and essentially turn a mass, generic attack into a mass targeted attack.

While data and the techniques used for AI phishing are still referenced in generics or hypotheticals, it is good for security-minded IT professionals to understand the power of generative AI and how it can be used to easily manipulate human workers. A recent article published by CNBC tells of $25.6 million phish that used AI to fake communications and even deepfake a video call to dupe an employee into transferring money to scammers.

Automated AI systems make it easier to get past the defenses of properly suspicious employees. For example, a program using generative AI could pose as an IT manager or a coworker and have a generated multi-message email conversation with a target, building rapport and leveraging data scraped from the internet to develop trust. This type of application could be deployed at a large scale.

Phishing email generated by AI

Today it’s even easier for the simplest phishing attacks to appear more sophisticated. If a large business were to be targeted, for example, a phishing email would need to be in “corporate speak” to appear legitimate. Corporate employees may have received phishing training, warning them of emails laden with spelling errors and poor grammar. Enter generative AI, which can be leveraged to help get around the defenses of training and appear legitimate.

Here’s an example of what can be done today with just a regular, consumer-available AI product. The below prompt was entered into a generative AI system, posted here as a screenshot.

The response:

That paragraph about not being a phishing email was particularly cheeky.

Now all that’s needed is to insert any information that might be pertinent to increase the chances of success of the phish such as the company name and the Security Officer’s title and name, which could be found on social networks or the company’s public documentation. The embedded link needs to be pointed to a fake website capturing whatever users enter, and the usernames and passwords will start rolling in, exposing your business’s security.

The example above was generative AI in its most simple form - a prompt and response. Savvy hackers and hacker groups (including state-sponsored) have access to APIs and other tools that allow for the ingesting and processing of large amounts of data to produce highly personalized, targeted emails with high chances for success.

As outlined in the eBook, mitigating the risks associated with AI phishing requires a multifaceted approach. First, there’s helping employees identify possible phishing attacks with up-to-date training. Technical approaches include flagging external emails to make it more difficult for emails posing as internal to succeed, for example.

Other effective cybersecurity practices include securing sensitive information through end-to-end encrypted cybersecurity solutions, such as a strong credential manager like Bitwarden, that ensures protection across all devices and platforms. Credential managers also enable security decision-makers to implement company-wide security policies with centralized management to ensure all employees maintain secure information storage and sharing practices.

Bitwarden offers a portfolio of solutions that can be used to beat AI phishing and help protect your business.

Bitwarden Password Manager

Secure employee passwords in an end-to-end, centrally managed, secure vault. Prevent phishing with advanced URI detection so that credentials aren’t inadvertently supplied to harmful look-alike sites. This comes with all the other benefits of a password manager, such as extending the security of Single Sign-On (SSO) to websites and apps that don’t support it. Learn more about using Bitwarden Password Manager for your business.

Bitwarden Secrets Manager

Protect machine secrets like API keys, SSH keys, and more throughout the development lifecycle. These secrets are a prime target for phishing as their use would go undetected and could allow unfettered access to your system. Keeping machine secrets secure, but accessible only when needed should be a priority for DevOps and IT teams everywhere. Learn more about Bitwarden Secrets Manager.

Bitwarden Passwordless.dev

Passwords cannot be phished if they don’t exist in the first place. Bitwarden Passwordless.dev offers the simple tools necessary to create a passkey-based authentication system for your external website or internal tools. A few lines of code and passwords are eliminated from your systems, replaced with strong, un-phishable passkeys.

The advent of AI phishing heralds a new chapter in cybersecurity, demanding heightened vigilance and sophisticated countermeasures. Staying informed and adopting proactive security strategies are imperative in navigating these challenges. For those seeking to deepen their understanding and enhance their defenses, the eBook, Balancing Security and Innovation in the Age of AI, offers valuable insights, and the Bitwarden suite of solutions provides the tools necessary to help safeguard against the growing threat of AI enhanced phishing.

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online. Have questions? Sign up for the free weekly demo.