Generative AI and Phishing

Generative AI is here, and we're still trying to make sense of what it could mean for us on an individual and societal level. At the same time, cyber attackers are thinking about how they could use generative AI to launch more effective phishing attacks at scale. The question is not if but when hackers will leverage generative AI and phishing to target businesses with even greater precision and relentlessness. To help your company prepare, here's what you need to know about generative AI, how it could be used in phishing attacks, and how to protect your business from this evolving cyber threat.

What is generative AI?

Generative AI is a form of artificial intelligence that can create text, audio, images, and other types of content. ChatGPT is perhaps the most famous example of generative AI, or gen AI for short. It can be used as a chatbot, just like other kinds of AI, but that's just the tip of the iceberg. You can have ChatGPT create emails, essay outlines, and other written materials for you in an instant. Although what you get back may not be of the exact same quality as what a human would create, it's surprisingly close. Just like any other technology, ChatGPT and other kinds of generative AI are basically agnostic. That is, they can be used for good purposes as well as bad ones. Businesses may use gen AI to provide multilingual customer support or debug code – two arguably beneficial use cases. On the flip side, cyber criminals can also use gen AI to create phishing emails, and that spells trouble for anybody who cares about their company's cybersecurity. 

How is generative AI being used in phishing campaigns?

Bad actors can use generative AI to whip up traditional phishing emails in far less time than it takes to craft those messages by hand. An expert in social engineering at IBM estimates that while it usually takes her team about 16 hours to build an effective phishing email, a generative AI model can create a highly convincing one in just five minutes. It will soon be cheaper and less labor-intensive for cyber criminals to target companies with phishing emails than it was before generative AI stormed onto the scene. Because these AI-generated emails usually aren't riddled with spelling errors and other oddities that make them easy to identify as fraudulent, your employees might be more likely to interpret them as legitimate. On top of that, cyber criminals can use ChatGPT and other large language models (LLMs) like it to make their phishing emails more relevant. Because LLMs are able to consume massive amounts of data, they can be directed to stay up to date on breaking news events, posts appearing on a company's social media accounts or website, or other trusted information sources that could help the message appear more credible.  Armed with these snippets of intel, a generative AI tool could quickly propagate a highly effective business email compromise (BEC) campaign that targets your CEO, your finance team, or other employees in key positions at your company. If they don't think to independently verify the message using another channel before clicking on the link contained in the message, you could have a ransomware attack on your hands.

How can you protect your business from generative AI phishing attacks?

As you can tell, generative AI and phishing are an explosive combination. Although it's wise to be concerned about how bad actors could use gen AI to come after your business, the news isn't all bad here. For starters, AI in cybersecurity could help companies ward off these kinds of attacks in the future. In the meantime, there are some easy, common-sense steps you can take right now to strengthen your defenses before these supercharged phishing campaigns start showing up on your doorstep. 

Update your security awareness trainings

If you're not already offering regular security awareness trainings to your employees, now is a great time to get started. By giving your staff the information they need to clock a potential phishing email, you can reduce the chances that they will be tricked by one and end up putting the business at unnecessary risk.  If you've been conducting security awareness trainings for a while, be sure to update them with the latest guidance on how to spot newer and evolving scams like AI phishing campaigns. For example, you'll want to let employees at your company know that while bad grammar and typos were once reliable signs of a phishing email, that's no longer the case in the age of generative AI. 

Look out for phishing attempts on other channels, too

Although email has long been the communications channel of choice for phishing campaigns, it's not the only one. Phishing has proven remarkably adaptable since it first cropped up about 25 years ago. A crafty phishing message may slide into your direct messages (DMs) on social media, pop up on your phone as a text message, or even arrive in the form of a suspicious voice mail message (that one's called vishing). Since hackers are just starting to explore how generative AI and phishing go together, it's not a stretch to imagine that these kinds of campaigns will become more frequent and sophisticated in the future – or that cyber attackers might use AI to initiate multichannel campaigns so they can increase their chances of success.

Use a password manager

A password manager can also help you stay one step ahead of phishing attacks. You can use a password manager to make sure employees are only able to enter their passwords on verified domains, which stops most phishing attacks in their tracks. A phishing email often directs its victims to fake websites that are carefully designed to look like the real thing, inviting them to enter their passwords and provide other sensitive information that cyber criminals can then scoop up and use as they please. With a password manager restricting password entry to verified sites only, you can significantly reduce the chances that your employees will accidentally enter their passwords on fraudulent sites.

Get ready for generative AI phishing attacks

While AI can be a tool for good, it can unfortunately also be used for nefarious purposes. Cyber attackers are already considering how generative AI could help them launch highly effective phishing campaigns in less time. Don't panic, though. There's time to prepare. By taking a few simple steps to protect your business now, you will be in a stronger position to prevent AI phishing attacks from compromising your business as they start showing up.