How AI and machine learning are changing the phishing game

Bad actors have learned: the more data they can gather about you, the more successfully they will be able to phish you. This is probably why this attack vector has never been so popular.

Proofpoint’s State of the Phish 2022 report found that 83% of organizations experienced a successful email phishing attack in 2021, an increase of 46% from 2020, while 86% of businesses experienced mass phishing attacks and 77% experienced business email compromise (BEC) attacks.

Global phishing attacks have increased 29% in the past 12 months to a record 873.9 million attacks, according to the latest Zscaler ThreatLabz Phishing Report, and there have been a record number of phishing attacks (1,025,968) in the first quarter of 2022, according to phishing activity. Anti-Phishing Working Group (APWG) Trend Report. But things get even more complicated.

Crooks are now taking and ingesting all hacked data found on the internet and combining it with artificial intelligence (AI) to target and attack users. This practice worries some of the biggest companies in the world more than ever as the level of sophistication of phishing attempts increases. The scary part? There’s an increase in successful phishing and ransomware payouts, and the AI ​​used isn’t even that smart yet.

The evolution of phishing

At its core, social engineering involves tugging at a user’s emotional heart to elicit a response that ultimately results in them providing personal information such as passwords, credit card information credit, etc

Unsophisticated phishing attacks in the form of emails, SMS, QR codes, etc. are usually easy to spot if you know what to look for. Grammatical errors, typos, suspicious links, fake logos, and “from” email addresses that don’t match the credible source they claim to be are dead giveaways.

These attacks were often carried out en masse, targeting millions of people to see who would bite. But bad actors have evolved — and so have their tactics.

Hackers have started using AI to target individuals in smarter ways. Perfect examples are messages from your “IT department” containing information about your work or a personalized, direct spear-phishing attack – which included your actual password – informing you that your account has been compromised.

Now, once again, the bad actors go one step further.

The AI ​​phishing revolution

Hackers love and hoard data. But the data they value most is hacked data — not just information they’ve personally hacked or ransomed. Threat actors love every bit of data that has ever leaked onto the dark web.

Data breaches can tell hackers everything from your mother’s maiden name to your date of birth, past passwords and even your personal interests. While it’s probably not something you haven’t heard before, what has changed is how scammers use this information.

Bad actors are now combining this data with AI to target users with incredibly sophisticated phishing attacks that are more compelling than ever. And they’re doing it with an AI that’s not even that smart yet.

The AI ​​can’t deviate from its pre-programmed path, so we don’t have to worry about it thinking for itself. But as people get smarter, they can build more sophisticated models and train AI to run more complex scenarios. As the level of sophistication increases, all signs point to a future where phishing looks a lot like targeted advertising.

Targeted ads meet targeted phishing

It’s almost impossible to avoid ads these days. They appear everywhere based on your browsing, search and social media history. We’ve gotten to the point where we joke about advertisers knowing what you want before you know you want it.

How long until the attackers get this advancement? How long before a business intelligence firm is hacked and hackers use the same data advertisers use to phish you? Near real-time targeted phishing campaigns are not a distant concept; it’s on the horizon.

Imagine you’re looking for Super Bowl tickets and within minutes you have phishing emails in your inbox offering you Super Bowl VIP experiences. This is the real and immediate threat posed by AI – and we are getting closer and closer to this reality.

The future of phishing

AI and Machine Learning (ML) are currently being used to systematically bypass all of our security controls. The attacks occur at a level and sophistication that no human – or group of humans – could achieve without a bit of (artificial) intelligence.

If you think bad actors need to create a brilliant self-made AI hacking bot to achieve these goals, you’re wrong. They simply need to create AI smart enough to interpret and manipulate specific datasets in specific scenarios – which is exactly what criminal hackers and nation-state actors are actively doing to target and compromise people and organizations.

AI isn’t as high-tech as some think, but it can still be used to take advantage of unsuspecting individuals. By combining AI and hacked data, hackers create more targeted and sophisticated phishing campaigns and achieve greater success.

AI and ML have rewritten the rules and changed the phishing game, and there is no turning back. If we don’t address this now, the game will quickly become out of reach.

Joshua Crumbaugh is CEO of PhishFirewall, Inc.