If you thought phishing was already difficult to stop, what until you start dealing with the new generation of AI-assisted crooks. An obvious criminal use case for ChatGPT and similar generative AI services is crafting better (actually near-perfect) personalized phishing attacks. Criminals can use text generators for grammatically perfect emails, voice generators for pitch-perfect phone calls, and even decent-quality video images to fake a Facetime call. And don’t rule out attack vectors you’ve never thought of as the AIs themselves craft attacks that no human had imagined.
Here are some pro tips on how to defend against the coming “smart attacks” from AI-assisted phishing:
- Require “alternate” verification for large transactions: Make sure employees touch base over alternate channels before acting on any request received by email, slack, text or even phone calls (including in the near future even video calls).
Example: It’s going to seem weird at first, but after your boss calls and explicitly tells you to pay that new CRM vendor $10,000, you need to call her right back and verify that it was her. Or you could do it electronically if you have some password or shared secret that can be used to verify the electronic confirmation.
- Purchase good cybersecurity insurance: If you’ve saved money by skimping on this important coverage, congratulate yourself, then use those savings to go buy some now before the prices go up.
Example: There are hundreds of insurance options available. As a starting spot, see our list of digital-first insurers focused on small businesses.
- Have backup bank/payroll account(s): As businesses learned during the SVB closure, it’s smart to keep funds at more than one location. That way if your funds are locked up for some reason, for example, a fraud attack, you have a backup source to meet short-term cash needs (payroll, accounts payable, etc). Credit lines can be used as backup, but those can also be shuttered at the worst possible time.
Example: Mercury, the SMB challenger* that captured 20% of the deposits fleeing SVB, automatically spreads funds in excess of $250k, across a network of 20 banks. Not only does this provide up to $5M in FDIC insurance (20 x $250k), it means that one failure in its network won’t tie up a customer’s entire balance for even a few days.
- Train employees on spotting AI-assisted attacks: Traditional phishing training may not be enough to detect AI-assisted attempts. So you will need additional training so that employees recognize the signs of a potential attack, such as unusual behavior or language patterns.
Example security tool: PhishingBox is a phishing simulation and awareness training platform. It also provides advanced threat detection capabilities that can identify AI-assisted phishing attempts.
- Use advanced threat-detection tools: Current anti-phishing tools may not be able to detect every AI-assisted phishing attempt. Consider investing in advanced threat detection tools that better identify these attacks based on their unique characteristics.
Example tool: Darktrace is an AI-powered cybersecurity platform
- Implement behavioral biometrics: Behavioral biometrics is a technique that uses machine learning to analyze users’ behavior patterns to identify anomalies. This can help identify AI-assisted phishing attempts that may be harder to detect through other means.
Example tool: Plurilock is a behavioral biometrics platform
- Use AI-augmented security solutions: Businesses can also leverage AI to defend against AI-assisted phishing. AI-assisted security solutions use machine learning to analyze patterns in data and identify potential threats, such as unusual login attempts or suspicious behavior.
Example tool: CylancePROTECT is an AI-powered endpoint security solution
- Conduct regular penetration testing: Penetration testing can help identify vulnerabilities in the system that attackers may exploit.
Example tool: Cobalt Strike can simulate AI-assisted phishing attempts”
By following these tips, businesses can significantly reduce their risk of falling victim to AI-assisted phishing attempts and protect their sensitive information and assets.
Image Credit: Mohamed Hassan from Pixabay