AI phishing evolution: Staying ahead of sophisticated phishing attempts and scams

In the ever-evolving landscape of cyber threats, AI-driven phishing attacks have undergone a significant transformation, particularly with the rise in the use of generative artificial intelligence. This evolution marks a new era in cybersecurity challenges, as highlighted in the eBook, Balancing Security and Innovation in the Age of AI, which focuses on the intricate dance between AI advancements and cybersecurity measures. Understanding these changes is crucial for businesses aiming to stay ahead in safeguarding their digital assets.

AI phishing attacks represent an evolution from traditional phishing techniques, utilizing machine learning and AI algorithms to craft more convincing, targeted, and ultimately successful phishing campaigns. Unlike standard phishing attacks, which often rely on mass, generic communication, AI phishing tailors its approach to individual recipients, making detection considerably more challenging. The sophistication of these phishing attacks lies in their ability to mimic genuine communications convincingly, leverage vast amounts of data to personalize each phishing attempt, and turn mass generic phishing attacks into a targeted attack.

Spear phishing, which was previously a hypertargeted form of phishing that took human effort to assemble, uses social engineering tactics to deceive individuals based on personal information obtained from social media and data breaches. Advancements in AI technology have made these attacks more sophisticated, convincing, and able to be executed on a larger scale than ever before.

While still in its infancy, AI phishing and attacks are beginning to make headlines — from faked video calls to spoofed phone calls that end up costing businesses time, market value, and reputation. It is good for security-minded IT professionals to understand the power of generative AI and how it can be used to easily manipulate human workers. An article published by CNBC in 2024 details a $25.6 million phish that used AI to fake communications and even deepfake a video call to dupe an employee into transferring money to scammers.

Automated AI systems make it easier to get past the defenses of properly suspicious employees. For example, a program using generative AI could pose as an IT manager or a coworker and have a generated multi-message email conversation with a target, building rapport and leveraging data scraped from the internet to develop trust. This type of application could be deployed at a large scale, enabling a wider range of phishing attacks. By leveraging AI, attackers can automate the creation of highly convincing fraudulent messages, challenging cybersecurity professionals to adapt by employing advanced AI tools to counteract such threats.

Today, it’s even easier for the simplest phishing attacks to appear more sophisticated. If a large business were to be targeted, for example, a highly personalized phishing email would need to be in “corporate speak” to appear legitimate. Corporate employees may have received phishing training, warning them of emails laden with spelling errors and poor grammar. Enter generative AI, which can be leveraged to help get around the defenses of training and appear legitimate.

Here’s an example of what can be done today with just a regular, consumer-available AI product. The below prompt was entered into a generative AI system, posted here as a screenshot.

The response:

That paragraph about not being a phishing email was particularly cheeky.

Now all that’s needed is to insert any information that might be pertinent to increase the chances of success of the phish, such as the company name and the Security Officer’s title and name, which could be found on social networks or the company’s public documentation. The embedded link needs to be pointed to a fake website that captures whatever users enter, and the usernames and passwords will start rolling in, exposing your organization’s security.

The example above was generative AI in its simplest form: a prompt and response. Savvy hackers and hacker groups (including state-sponsored) have access to APIs and other tools that allow for the ingestion and processing of large amounts of data to produce highly personalized, targeted emails with high chances for success.

As outlined in the eBook, mitigating the risks associated with AI phishing requires a multifaceted approach. First, there’s helping employees identify possible phishing attacks with up-to-date training. Security teams play a crucial role in this process, utilizing advanced AI tools and detection systems to counteract threats and maintain cybersecurity. Technical approaches include flagging external emails to make it more difficult for emails posing as internal to succeed, for example.

Other effective cybersecurity practices include securing sensitive information with end-to-end encrypted cybersecurity solutions, such as a strong credential manager like Bitwarden, that ensures protection across all devices and platforms. Credential managers also enable security decision-makers to implement company-wide security policies with centralized management to ensure all employees maintain secure information storage and sharing practices, thereby helping mitigate the risk of malicious sites.

In addition to the right tools, end-user training is crucial in preventing AI-powered phishing attacks. By educating employees on the latest phishing tactics, including how generative AI is used to create highly convincing scams, organizations can empower their workforce to act as the first line of defense. Regular simulations of phishing attacks can help reinforce learning and gauge employee readiness, and security awareness training should focus on building a culture of vigilance, empowering employees to report suspicious emails and activities.

Bitwarden offers a portfolio of solutions that can be used to beat AI phishing attacks and help protect your business.

Secure employee passwords in an end-to-end, centrally managed, secure vault. Prevent phishing attacks with advanced URI detection so that credentials aren’t inadvertently supplied to harmful look-alike sites. This feature helps distinguish between fake domains and legitimate sites, ensuring users interact only with trusted platforms. This comes with all the other benefits of a password manager, such as extending the security of Single Sign-On (SSO) to websites and apps that don’t support it. Learn more about using Bitwarden Password Manager for your business.

Protect machine secrets like API keys, SSH keys, and more throughout the development lifecycle. These secrets are a prime target for phishing by threat actors, as their use would go undetected and could allow unfettered access to your system. Keeping machine secrets secure, but accessible only when needed, should be a priority for DevOps and IT teams everywhere. Learn more about Bitwarden Secrets Manager.

Passwords cannot be phished if they don’t exist in the first place. Bitwarden Passwordless.dev offers the simple tools necessary to create a passkey-based authentication system for your external website or internal tools. A few lines of code and passwords are eliminated from your systems, replaced with strong, unphishable passkeys, making it difficult for cybercriminals to target your users with minimal effort.

The advent of AI phishing heralds a new chapter in cybersecurity, demanding heightened vigilance and sophisticated countermeasures. AI technology is leveraged by cybercriminals to enhance the sophistication of phishing attacks, making them more convincing and personalized. Staying informed and adopting proactive security strategies are imperative in navigating these challenges and avoiding phishing attacks. For those seeking to deepen their understanding and enhance their defenses, the eBook, Balancing Security and Innovation in the Age of AI, offers valuable insights, and the Bitwarden suite of solutions provides the tools necessary to help safeguard against the growing threat of phishing attacks, AI-enhanced and otherwise.

Ready to try out password sharing with Bitwarden? Quickly get started with a free Bitwarden account, or start a 7-day free trial of our business plans to keep your team safe online. Have questions? Sign up for the free weekly demo.