AI increasing sophistication of social engineering attacks

Hackers are leveraging the latest technology to trick victims into sharing information

Cybersecurity threats have evolved significantly over the years. And new technologies are making it easier for cybercriminals to carry out social engineering exploits, including phishing and vishing attacks.

Hackers are continually evolving their techniques to stay ahead of cybersecurity measures and successfully exploit individuals, businesses and other organizations—and phishing continues to be their weapon of choice. According to the FBI’s 2022 Internet Crime Report, the number of reported phishing incidents climbed from about 26,000 in 2018 to more than 300,000 in 2022—significantly higher than any other type of crime reported to the FBI’s Internet Crime Complaint Center.

With advances in artificial intelligence (AI) and other technologies, including generative AI tools like ChatGPT 4, cybercriminals are automating and personalizing these social engineering attacks to improve their success rates. Individuals, businesses and other organizations need to stay vigilant to guard against these increasingly sophisticated threats.

Social engineering relies on gaining victim’s trust

Social engineering involves tricking victims into divulging sensitive information to them. For example, one common technique cybercriminals use is pretexting, which involves creating a false identity or story to gain the victim’s trust. Another technique is baiting, which involves offering the victim something they want, such as a free gift card, in exchange for their sensitive information.

Any personal information the hacker obtains from any source can be helpful in facilitating these attacks and making them appear more believable. In some cases, cybercriminals are starting to use AI to gather information on their targets, such as matching the victim’s profile photo across platforms to identify their various social media accounts. Attackers can then use the information in those social posts to craft personalized emails and phone calls that the victim may be more likely to perceive as real instead of as a threat.

AI can make phishing more convincing

AI creates more opportunities for cybercriminals to enhance social engineering attacks and trick their victims more effectively to gain needed trust.

One example of this is vishing – a form of phishing that uses voice calls instead of emails. Vishing attacks use social engineering techniques to impersonate legitimate callers, such as bank representatives, tech support agents, or government officials, in order to trick victims into sharing sensitive information, such as login credentials or credit card numbers.

With advances in AI, hackers can now use voice recognition software to impersonate specific individuals, such as a victim’s boss, co-worker or spouse. This technology allows hackers to customize their voice to match the person they are impersonating, making it more difficult for the victim to detect the deception.

New artificial intelligence tools and other technologies have also made it easier for cybercriminals to conduct callback phishing attacks. These types of attacks typically start with a phishing email that includes a phone number for the victim to call. When the victim calls the number, they are directed to a fake interactive voice response (IVR) system that appears to be from a legitimate organization, such as a bank or tech company. The IVR system prompts the victim to enter sensitive information, such as their account number or login credentials, and that information is captured by the hackers.

Cybercriminals can now use voice- and facial-spoofing technology to create convincing fake IVR systems. These systems use natural language processing to simulate a real conversation and can even adapt to the victim’s responses, making the conversation more convincing. In a one-two punch, hackers can also use social engineering tactics to convince the victim to allow the attacker to install remote access software on the victim’s machine, giving the attacker full control over the victim’s computer and access to sensitive information.

And that is just the beginning. The latest wave of AI tools can be used to create fake audio, images and even video – all of which offer cybercriminals more ways to try to exploit the trust of their victims and gain access to their information and systems.

Ways to defend against phishing and other social engineering attacks

Stay alert to defend against phishing threats, including vishing and callback attacks. Remember, even without AI tools, hackers are using social engineering tactics to manipulate victims into divulging sensitive information.

One of the simplest, but most important steps for individuals to take is to verify email and phone communications and be careful about sharing sensitive or financial information. If you don’t recognize the sender, don’t click on any links or open attachments in the email. And don’t provide personal or financial information over the phone unless you have initiated the call and have verified you are speaking to a legitimate source.

Other steps to mitigate the risk of phishing attacks include using unique and complex passwords, implementing multi-factor authentication, and encrypting data when possible.

In addition, businesses should train employees to help them recognize phishing attacks, and they should keep software and systems updated to protect against vulnerabilities. Other software safeguards may include using firewalls and installing anti-phishing and anti-malware software on company devices.

What to do if you fall victim to a cyber attack

In the instance that your organization does fall victim to a cyber attack, it’s important to have an incident response plan in place.

Designing and implementing an incident response plan should be a top priority for businesses. This plan will govern and direct how the organization will effectively respond to cybersecurity incidents. It defines what constitutes a breach and identifies key stakeholders, escalation procedures and other measures to be taken during a cyber incident or event.

Organization leaders also need to be prepared to investigate cybersecurity compromises effectively. A company can either hire an experienced cyber-response specialist when an incident occurs or proactively partner with an independent services provider who will be available to assist when trouble arises. A cybersecurity professional can help to review the situation and determine what has taken place, identify the source of the attack, assess the damage done, recommend remediation tactics, address notification requirements and advise on next steps to avoid future occurrences.

Having access to outside expertise can also help an organization confirm that evidence related to the incident is collected and handled properly, and in a manner consistent with what the courts would require should legal action become necessary.

For many organizations these days, falling victim to a cyberattack is not a matter of if, but a matter of when. And bad actors are leveraging new technologies like AI to strengthen their attacks. Because of this, organizations are under more pressure today than ever to plan, protect and respond to cyber threats, including phishing, vishing and other social engineering attacks. Engaging a professional services firm with cybersecurity expertise can help you and your organization meet these challenges head on.

Contact me or another member of Kaufman Rossin’s Cybersecurity and Data Privacy Advisory Services team to learn more about how we can help you address these challenges, meet compliance requirements, educate personnel, assess your risks and respond effectively to cybersecurity incidents and events. Our team can help your organization plan for and respond to the latest security threats including those posed by AI and other technological advances. With new AI tools like ChatGPT 4 and others emerging daily, the risks will only continue to grow – so educate yourself and your staff, remain vigilant, and let us know how we may assist.