How to detect AI deepfakes and phishing attacks

AI-enhanced phishing attacks are on the rise and with the help of generative and agentic AI, it is easier than ever for cybercriminals to quickly deploy targeted campaigns against individuals and businesses alike. Attackers are leveraging AI technology to create hyper-realistic content at rapid speeds — like deepfake videos, cloned voices, and spoofed images — that are intended to deceive their victims into revealing sensitive information or downloading malware. 

AI-enhanced phishing campaigns are also harder to identify, making them more effective. AI phishing attacks are reportedly 24% more effective than traditional human-generated attacks, according to hoxhunt.

As phishing threats continue to evolve, it will be exceedingly important to stay informed on security best practices to protect yourself, your family, and your organization. Here are some practical tips on how to detect and stay safe from AI-enhanced phishing that you can start implementing now.

Dive deeper: Before learning about how to protect yourself from AI-enhanced phishing, consider learning about different types of phishing techniques and how the rise of AI has impacted phishing scams.

Taking a 9 second pause before interacting with suspicious communications can make a big impact in staying safe against phishing attacks. Those 9 seconds help our brains reason through any emotions that may arise, helping attack recipients think more logically and see through social engineering tactics.

After taking a 9 second pause, keep an eye out for these red flags to help detect phishing attacks. 

• Too good, bad, or outlandish - If an offer seems too good to be true, it probably is. A classic example of this red flag is the Nigerian prince email scam, which offers recipients a considerable monetary sum if they send an advance payment. Be cautious of any offer that promises a reward for unbelievable reasons, or threatens to enact something that will negatively upend your life. 

• Urgency - Attackers often employ a sense of high stakes urgency in their campaigns to pressure recipients to act quickly. Any unexpected communication with a heightened sense of urgency should be cause for suspicion.

• Emotions - A common social engineering tactic is to exploit people’s emotions. "Any content you see online that makes you feel a strong emotion - anger, fear, disbelief - is a red flag," said Lynette Owens, VP Global Consumer Education & Marketing at Trend Micro. 

• Unprecedented communication path - Attackers are typically pretty convincing when impersonating people in our life, but what they sometimes fail at is sending communication via an expected channel. If a message from your boss comes through WhatsApp, when you typically communicate through Microsoft Teams, it should be a red flag. Consider reaching out to the same person via a more reliable channel to confirm.

• Unnaturally perfect - In the age of generative AI, deepfake videos, audio, and images are incredibly common in phishing attacks. If these pieces of media seem unnatural or too “perfect”, it is an indication of AI generation and may be a malicious phishing campaign. 

• Autofill - Most password managers, like Bitwarden, have built-in phishing detection by way of autofill. If a password manager does not offer to autofill a saved login when navigating to a website, the website is not legitimate.

Organizations and their employees are often targets of spear phishing campaigns where attackers attempt to gain access to company systems and withhold information until a hefty ransom is paid. 

Vishing attacks in particular have grown in frequency with 30% of organizations reporting they were subject to such an attack (Phishing Trends Report).  Malicious actors targeting organizations with vishing attacks typically use “fake calls to impersonate officials or executives.” Even the United States government is not immune to this attack, with attackers impersonating senior U.S. officials with AI-generated voice messages to gain access to personal accounts. 

Action item: To protect your organization against malicious attacks, consider revisiting the organization's security strategy. It likely needs an update to better defend against rapidly evolving AI-enhanced security threats. Here are some considerations to incorporate in a company security strategy. 

• Threat threshold - Sometimes called ‘risk tolerance’, a threat threshold is the point where the organization is dissatisfied with the known risks to the organization, and initiates a specific response. Consider what risks the organization is okay with, and what risks will need to be resolved when they arise.

• Anti-phishing solutions - There are many anti-phishing products on the market, offering a wide variety of enterprise solutions to phishing. Evaluate the best anti-phishing strategy for your organization and what combination of products supports this strategy. Some popular choices are Knowbe4 for flagging suspicious emails and proofpoint for email filtering. 

• Context-based defenses - Context-based defenses are implemented via software or systems that identify and block phishing attacks by recognizing the context in which they occur. This is achieved with Artificial Intelligence and machine learning and helps stop phishing before it reaches employees.

• End user training - Consider incorporating phishing education into regular security training programs. By sharing red flags to look out for and the expected steps an employee should take when interacting with a suspicious message, employees will be more prepared to defend the organization.

• Password management - Most password management solutions offer built-in methods around how to detect phishing. When an employee visits a spoofed website and attempts to autofill their login credentials, the password manager will not offer up the associated login because the urls don't match. Consider implementing a password manager, like Bitwarden, if your organization does not have one.

If you have fallen for a phishing attack: 

1. Notify your banks and financial organizations. Consider freezing credit as well to stop new lines of credit from being opened. 

2. Depending on the scam, consider closing compromised accounts or wiping infected devices and restoring to factory settings.

3. If residing in the United States, report the attack to the Federal Trade Commission (FTC) or Internet Crime Complaint Center (ic3).

4. Talk about it! Share what happened with friends and family to help spread awareness.

5. Download a password manager to prevent sharing sensitive credentials with malicious actors in the future. Bitwarden offers free accounts for everyone!

If your organization has been impacted by a phishing attack: 

1. Notify your IT team if they are not already aware so they can take further action.

2. Investigate affected accounts, environments, and devices to understand the full scope of impact.

3. Consider wiping infected devices and restoring them to factory settings.

4. Be honest about the breach to customers, partners, and the press. If your organization waits too long to reveal a breach’s impact, it may severely damage brand reputation.

5. Deploy a password manager, like Bitwarden, to the organization, providing guardrails on how sensitive credentials can be autofilled in the future.

Start blocking malicious phishing attacks and download Bitwarden! With the Bitwarden Password Manager, sensitive information and passwords will never autofill on spoofed websites or login pages. The upcoming Bitwarden Phishing Blocker also prevents end users from navigating to a website that has been identified as a known phishing site.

Sign up for a free account or start a free 7-day business trial today to get started!