Phishing is More Prevalent Than Ever, and it's Evolving. Here's How.

Phishing remains the number one attack vector for criminals to establish a foothold in your organization. Even in this day and age of Teams, Slack and their cousins being used for collaboration and communication, email remains the most common way to exchange information with people outside an organization. And it's got inertia because it's been there for so many decades, and everyone knows how to use email, both in their personal and work lives. To compound this threat even further, the sophistication of attacks is also rapidly accelerating, mainly due to the widespread proliferation and accessibility of AI technologies.   

In this edition of 'The Sting of Security,' we explore how phishing is evolving in the age of AI. We also list down popular phishing emails your employees should know about in 2024 and provide practical tips to develop cyber resiliency. 

Phishing in the Age of AI 

The arsenal of tactics employed by threat actors continues to evolve with the widespread accessibility of LLMs. 

Here are three areas where LLMs are having an impact on phishing tactics: 

Sophisticated phishing

Unlike traditional phishing, which frequently relies on mass, generic communication, AI phishing customizes its approach to each recipient, making detection much more difficult. The sophistication of these attacks stems from their ability to convincingly mimic genuine communications and fine tune their wording to achieve maximum results. 

Targeted attacks

Traditionally, threat actors would conduct research via LinkedIn or company websites. However, with the sophistication of LLMs, threat actors can now conduct targeted research on their recipients with minimal effort. By leveraging massive amounts of data, LLMs can personalize each phishing attempt, effectively transforming a mass, generic attack into a mass-targeted attack.  

Translations

Many Phishing and Business Email Compromise (BEC) defenses are tuned for English, having less success stopping attacks in other languages. There are also geographies where phishing and BEC attacks have been uncommon up until now, making the average finance department worker less suspicious (Japan, other countries in East Asia, and Latin America). With the advancement of AI tools, we're likely to see a surge in attacks based on the ability to translate emails into near-perfect prose by attackers who aren't fluent in the language, expanding their potential target pool manifold.   

To demonstrate how easy it is to generate a phishing email through an LLM, we decided to create our own. The following is an attack on Andy Syrewicze, a Security Evangelist at Hornetsecurity. Here is the initial research prompt and output:  

As you can see, a simple prompt provides a detailed breakdown of a social engineering strategy to target Andy, drawing on his professional and personal online footprint. Something that would take far longer to achieve manually.  

This is then followed up with a very convincing draft of a spear-phishing email for Andy.   

The email generated here is of a much higher quality than the average phishing email and far more likely to succeed. The personalization of the references and context demonstrates how effective AI tools such as LLMs can be in crafting targeted spear-phishing attacks.  

Types of Phishing Emails Your Employees Should Know About in 2024 

Advance-fee scam  

These types of emails try to make victims believe that they are the recipients of a large amount of money (emotion trigger: greed), but to receive it, they must pay a fee ("transfer fee" or "handling fee"). 

Spoofing  

Spoofing is using various techniques to make it appear as if the email is coming from one sender when, in fact, it's sent from an attacker's email address.  

Impersonation  

Another flavor is brand impersonation. This is a highly successful attack technique used by hackers to steal data for use in future scams. Attackers can trick their victims into clicking on a link or attachment in an email by impersonating a well-known brand or organization.   

QR Codes 

As mentioned, QR codes have become very popular in phishing emails. There are two reasons for this: firstly, email hygiene solutions were slow to incorporate technology to spot these in emails, scanning the code, following the link, and inspecting the target web page for signs of maliciousness. Secondly, and possibly the reason why we're still seeing large volumes of malicious emails with QR codes, is that they move the attack from an often managed, locked down, secured computer endpoint, where most business users read their emails, to a personal smartphone with minimal protection. Scanning a QR code with your smartphone is second nature for most of us, especially as their use in society is so common, and people don't expect a bad result from doing it.  

Protect Your Business by Training Your Users  

Technology alone will never be the sole solution to protect yourself and your team from falling into the trap of phishing attacks. To build a cyber-resilient organization in the age of AI, you must involve every single person who works there. Simple practices such as understanding the risks of the threat landscape, combined with regular security awareness training that adapts to the users' requirements can help you cultivate a culture of 'polite paranoia'.   

In our free eBook, we discuss phishing in 2024 in even more detail, provide strategies to improve your security posture, and effectively train your employees to spot phishing emails. Download it here.