Hackers and Generative AI: Evolv I.T. Explains the New Cyber Threat to Businesses

The ability of generative AI to produce text, images, and other media in mere seconds is a significant achievement of the 21st century. Its implementation across industries is already streamlining workloads, increasing efficiency, and freeing employees to work on more crucial tasks. However, its usage is being leveraged for a darker impact: AI-enhanced phishing. Since generative AI is neutral (not “good” or “bad”), its impact is determined by the user, not the program itself. What this ultimately means, explains Daniel Herrera, the CEO of Evolv I.T., is that while regenerative AI can be used to write an essay or blog post, hackers are taking it one step further: they are leveraging this technology to make their email phishing more effective. Most importantly, and equally unnerving, is that they are succeeding.

How do generative AI and phishing intersect?

At Evolv I.T., Herrera and his team are investigating the impact of AI on phishing, including how to combat it. Herrera explains that artificial intelligence creates human-like text and can mimic the style and context of natural language. This technology can significantly help writers, who can increase their productivity, and non-writers, who have long struggled with creating essays, blogs, and other written content.

Most people are already familiar with phishing, which is a fraudulent attempt to obtain sensitive information by posing as a trustworthy entity, such as a bank, a well-known business, or a governmental organization.

“In the past, you may have seen a lot of emails from foreign countries requesting urgent financial help. Or, there may have been emails allegedly from a delivery company, with grammar or spelling mistakes that made it obvious it was phishing,” says Herrera. “Generative AI wipes out those weaknesses. Phishing emails are now much more sophisticated. They are also less generic, as cybercriminals are researching the person on social media, then using generative AI to write a more personalized message.”

Businesses across all industries should be taking this new threat seriously, as in the past year alone, malicious phishing emails have increased by 464%. And in Q1 of 2023, over 30% of all received emails were spam, while 1.3% contained malware or phishing links. Herrera states this is an alarming statistic and shows that now is the time to train all employees in this new age of email phishing.

What are the new AI-enhanced phishing threats faced by organizations?

AI has contributed to the evolution of phishing tactics and scams in several ways:

1. Context-aware phishing

• As mentioned, hackers previously used generic templates that were a relatively easy tip-off. They are now using context-aware messaging in their phishing emails by incorporating specific details, such as recent activities, social connections, or current events. The result is fraudulent messaging that is more convincing, and much less easy to detect.
• For example, an employee might receive an email from a coworker referencing a company’s holiday party or after-hours event. The AI-enhanced phishing email might contain these details, providing a false sense of trust and increasing the risk of the recipient opening the email or clicking on its link.

2. Natural Language Generation (NLG)

• Traditional email filters are programmed to flag potential threats when they identify unnatural-sounding language in emails. Because generative AI enables hackers to create messages utilizing natural language, the emails can mimic authentic conversation. This helps cyber criminals to get around the filters and makes it more likely that the recipient will disclose sensitive information.

3. Personalization and Social Engineering

• AI algorithms can analyze vast amounts of data to create highly personalized phishing emails or messages. This involves using information about the target, such as their online behavior, preferences, or even recent events in their life, making the phishing attempt more convincing.

4. Deepfake Technology

• AI can be employed to create convincing deepfake audio or video content. Phishers can use this technology to impersonate trusted individuals, such as company executives or colleagues, making it more likely for the target to fall for the scam.

5. Automated Spear Phishing

• AI enables automated spear phishing attacks by analyzing publicly available information about individuals and crafting targeted messages. This makes it easier for attackers to tailor their phishing attempts to specific individuals or organizations.

6. Credential Stuffing Attacks

• AI algorithms can be used to automate credential stuffing attacks, where large sets of stolen usernames and passwords are systematically tested across various online platforms. This automated process allows attackers to identify accounts with reused credentials quickly.

7. Phishing Kit Automation

• AI-driven tools can automate the creation and deployment of phishing kits. These kits include pre-designed phishing websites that mimic legitimate login pages, making it easier for attackers to launch phishing campaigns on a large scale.

8. Adversarial Machine Learning

• Some attackers leverage adversarial machine learning techniques to bypass security measures. This involves training AI models to understand and evade detection mechanisms, making it challenging for traditional security systems to identify and prevent phishing attacks.

How can organizations guard their data from AI-enhanced phishing?

“It’s crucial to stay aware of how cybersecurity is evolving,” Herrera states. “Your company can have the most robust cybersecurity measures possible, and that’s definitely a great start to fortifying defenses, but hackers will continue turning to other ways to try to penetrate them. So, one of your primary ways to keep your company safe is to train yourself and your employees in the online threats your business faces. That’s why Evolv I.T. offers one of the most comprehensive, continuous training programs in the industry, and we regularly help employees become proactive about guarding companies from hackers.”

Herrera adds that companies must be sure that they use advanced email filtering solutions that can identify subtle patterns that indicate AI-generated content. As phishing becomes harder to detect, filters will need to become more sensitive, or hackers will be able to slip through.

“Multi-factor authentication is also crucial. Taking the extra 20 seconds to receive a texted code and implement it can mean the difference between safety and danger,” says Herrera. “Also, consider conducting monthly security and vulnerability assessments, as it is far easier to mitigate risks vs. overcome them when they have already been exploited by hackers.”

With the average cost of an online breach reaching over $4M, organizations cannot afford to be complacent about their cybersecurity. “Generative AI is lowering the bar to entry for cybercriminals and making it easier for them to penetrate your defenses,” Herrera says. “Reach out to an MSP such as Evolv I.T. so that you can equip yourself with the tools to safeguard your sensitive information. There is actually a lot you can do about AI-enhanced phishing. By being proactive and remaining up to date on tactics, you will stay ahead of cyber criminals, which is exactly where you need to be.”

About Evolv I.T.

Headquartered in Birmingham, AL, Evolv I.T. is a leading end-to-end Managed Services Provider with one of the industry’s highest client satisfaction ratings (99.8%). Evolv I.T. offers revolutionary technology solutions to companies, such as technology lifecycle planning, asset management, breach prevention, ERP systems, software management, IT support, and more. Its national services increase the efficiency, productivity, security, scalability, and productivity of its clients.