Remember when you used to get an email from a long-lost relative saying that you inherited millions, or an SMS congratulating you on being the latest lottery winner, even though you never purchased a ticket. While we still get those messages now and again, phishing attacks have become so sophisticated, that it’s harder to tell what is real or fake.
Cybercriminals are using platforms that look like the real thing for their attacks
Artificial Intelligence is making it much easier for cybercriminals to generate all types of cyber-attacks. From duplicate legitimate platforms to generating personalised spear phishing attacks that look like the real deal. This is the new reality, and it is up to all of us to be alert when receiving emails, messages, and phone calls out of the blue, no matter how realistic they may seem.
AI is a cybercriminal’s trustworthy companion
Cybercriminals have five basic phases that they use when carrying out a phishing attack.
- Select targets
- Gather information about these people
- Create phishing emails
- Send phishing emails
- Validate the success of the attack and enhance emails as necessary for future attacks
With AI, cybercriminals have a choice of how sophisticated and slick they want their attack to be either using free or paid for options. Their main aim is still to get you to share personal information or your login details. However, their attacks are now more credible and appear as trustworthy thanks to the help of AI.
An added advantage is that AI generates these attacks in seconds, whether it is a general attack or a personalised one. For spear phishing attacks, where there is a particular target, AI analyses information on social media platforms or that are publicly available to draft content that comes across as more believable. This information gathering stage, which would have taken a cybercriminal months to get generate, is now completed in a rapidly short period of time and even more extensive to what they could have manually collected. Gone are the days of spelling and grammar errors in phishing attacks. Nowadays messages are more polished and look like they are actually sent from a trustworthy person.
What’s even more disturbing is that AI can mimic voice, writing style, and tone. The message then comes across as more believable and realistic. You could receive a phone call from a company that you regularly use or subscribe to. AI can then be used to analyse voice recordings, which they can get from social media platforms, previously hacked accounts, publicly available content, and then use it to mask their own voice when calling you.
AI can manipulate existing photographs and cybercriminals can then use those photographs for extortion.
Be cautious when receiving messages and phone calls out of the blue
Cyber-attacks are constantly evolving, and new tricks and tools are being used to generate content that appears to be above board. One such tactic to be particularly cautious of is Business Email Compromise (BEC), where attackers impersonate legitimate senders or intercept email conversations to initiate fraudulent transactions, often without the victim's knowledge. Fraudsters often do extensive research on their targets to convincingly create false identities. They may create fake websites or register companies with similar names. Once they have gained access, the fraudsters monitor email traffic to identify potential financial transactions. They scrutinise conversation patterns and invoices to build trust with their targets before requesting money, gift cards or sensitive information.
Stay alert. Think before you action.
- Always verify the sender’s email address. Attackers often create near-perfect replicas of legitimate email domains with minor alterations
- Don’t click on links or open attachments that are randomly sent to you. Even if it appears to be from someone you know. Always check with the person, using contact information that you have from them instead of those provided to you in the communication.
- Messages and calls that you receive out of the blue to verify your account details or personal information are most likely a scam.
- Be cautious of emails that are highlighted as spam by a service provider. There is a reason they picked up something suspicious about it.
- There will always be outrageous sales on things that you just happen to be doing an online search on. Verify it’s real on the actual website instead of clicking on adverts that appear out of nowhere.
- Consider using safe words within your family and friends groups, so that you can easily verify if they are actually who they say they are.
- Take note of what is being asked for. If anything seems out of the ordinary, it most likely is.
- Stay ahead of the latest cybersecurity trends by reading content on reputable websites.
It is getting trickier to spot the difference between what’s real and or phishing attack. It is therefore important that you stay alert at all times to ensure that you don’t fall victim and compromise the safety of your own personal information as well as those of your contacts and the UCT community.