An employee of a Hong Kong company recently had a video conference call scheduled with the CFO. During the meeting, CNN reported, the employee was instructed by the CFO and other members of the C-suite leadership team to deposit a total of $25 million into the accounts of five separate banks. The meeting ended and the employee completed the transactions.
Only later did this employee suspect something was amiss. Turns out, he was the only human on the call. Others on the call were all deep fake imposters.
In a press conference about the incident, “I believe the fraudster downloaded videos in advance and then used artificial intelligence to add fake voices to use in the video conference,” said Baron Chan Shun Ching, superintendent in the cyber security unit of Hong Kong’s police department.
In a type of cybercrime jujitsu, criminals are using generative AI and our past security awareness training to earn employees’ trust in order to steal money or sensitive information. This combination of phishing with deep fakes likely signals a new era in cybercrime.
Next Generation Phishing
Remember the good old days when Nigerian princes were trying to deposit millions into your bank account, provided you covered the cost of shipping? Or you could easily spot phishing scams by the hilarious grammar, questionable spelling and bizarre word choices?
“Dear Sor: We hope this missive finds you whell. Please accept are 12$ million monies forthwith.”
Well, those types of clues no longer work. Cybercriminals use AI, or more specifically generative artificial intelligence to generate text, images or other data using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.
These new phishing scams result in perfectly crafted, error-free, emotionally convincing emails that appear to come from a trusted source and reference actual events in your life.
AI-augmented phishing emails are designed to trigger your trust hormone by systematically eliminating the red flags you learned during your organization’s cyber security awareness training. If someone on your team receives a well-crafted, error-free email from a friend who references recent personal events, the training we’ve used in the past would indicate that email (and links included) would be safe.
From Email to Network
If a cybercriminal who’s targeting you happens to have access to your company data (such as emails compromised during a Microsoft 365 attack), they can use that access to become extremely wily and credible. Criminals can easily dump breached data into a large language model (LLM) and then ask AI to compose a phishing campaign based on the subjects in your recent emails.
AI software allows even beginner cybercriminals to scrape your relationships, life events and location from social media, combine it with personally identifying information purchased on the dark web, and serve it up to your email or text to your phone as if it originated from someone you trust. It’s like having your own personal stalker, but far worse.
Now cybercriminals are no longer crafting emails one by one. It used to take cybercriminals months to prepare spear-phishing campaigns for specific targets. Now they are using AI to create millions of emails many times per day. And it means that phishing and business email compromise campaigns will eventually appear in your inbox as often as spam. And that threatens your bottom line.
How to Protect Your Business
Your organization can fight back. Reach out to BrightFlow Technologies for training. Our team can retrain your team to properly identify, verify and distinguish harmful phishing and social engineering schemes from legitimate communication. This requires new strategies applied to old reflexes.
We work with our client partners to identify what data is the most sensitive, profitable and targeted by cybercriminals, and then prioritize its defense. It’s difficult in today’s cyber environment to protect everything, so our advice is to protect the most valuable assets first.
You can also adopt the latest technologies to enhance your small business cyber security. We can implement defensive software tools like AI-enhanced spam filtration that helps detect phishing emails. Generative AI is brilliant at detecting patterns, and that will make identifying even the most well-crafted phishing campaigns somewhat easier. Then our team here at BrightFlow can help segment and segregate your network so that access to one area of your data doesn’t expose others.
It Can Happen to Anybody
If you consider yourself an old hand at spotting phishing scams, just remember it can happen to anyone when they are distracted or preoccupied. Some of the biggest and most sophisticated companies in the world have been fooled by phishing scams.
Between 2013 and 2015, Facebook and Google were scammed out of $100 million when cybercriminals carried out an extended phishing campaign. They took advantage of the fact that both companies used the same Taiwanese vendor, Quanta. They sent a series of invoices pretending to be from Quanta, and both Facebook and Google paid.
When the scam was discovered, it was taken to the U.S. courts. The attacker was arrested and extradited from Lithuania. Facebook and Google recovered just under half of what was stolen.
In 2014, Sony Pictures became the victim of a phishing attack that wasn’t about money. The attackers were believed to have a connection to North Korea, and targeted Sony because of a movie it refused to withdraw that mocked Kim Jong Un. The cybercriminals used fake emails to steal huge amounts of information from Sony’s network.
That included email conversations about celebrities, staff members, scripts and employees’ personal information. They even gained access to Sony’s offices by tricking their way in. They impersonated IT staff and installed malware on Sony’s systems. The attack ended up costing Sony more than $35 million in IT repairs.
Reminders of What to Look Out For
Even in the age of AI, there are tells you can look for that indicate you have been targeted by an email phishing campaign.
Research the email address. Hover your cursor over the sender’s name in your emails, as well as any website addresses. This will show you the actual email address used or the website you are being directed to.
Think before you click. Do not log in to any accounts by following a link in an email. Go directly to the website that you always use and log in that way.
Check all emails to make sure they are genuine, even if they are from close friends or colleagues.
You can bolster small business cyber security by never using the same passwords across different online accounts. Cybercriminals will often try your credentials on countless other sites once they’ve stolen them. Using different login details will keep your other accounts protected.
Employ a password manager to make sure passwords are long and randomly generated, making them virtually impossible to guess.
Implement multi-factor authentication across all applications. MFA involves using a second device to prove it’s really you logging in.
Codes and Calls
If you often deal with financial transactions over email, the best practice is to set up a dedicated email address that invoices should be sent to. Do not advertise that email on your website. Doing this will make it far less likely to be targeted with phishing emails.
You could also implement codewords with clients or suppliers if an email is regarding payments. If the email doesn’t contain the codeword, you know not to process the transaction. Don’t email these codewords, or they may be harvested. Phone your suppliers to communicate the correct codewords.
Ensure your financial protocols are followed exactly for all transactions. For instance, you might decide that all transactions must be confirmed over the phone for security reasons.
Turn to Experts in Small Business Cyber Security
To protect an organization and its assets, most small business cyber security experts recommend employing experts outside the organization. Hiring an external security assessment team to evaluate your vulnerabilities can help because internal IT teams may have less incentive to discover their own mistakes. A security expert like BrightFlow Technologies can provide a fresh perspective.
In conjunction with your security experts, develop pre-attack and post-attack responses. By creating a prevention roadmap before the attack, as well as an incident response plan after an attack, your team will know exactly who to call and how to respond when a successful phishing attack occurs (because it likely will). Preparation is the greatest form of mitigation.
When nothing bad happens, reward your team for taking their training seriously. Plan an outing to a go kart track, golfing or anything else they enjoy. Nothing says “thank you for not clicking on that possible company-destroying scam” as a fun event that will create fond memories. Incentivizing protective behavior is just as critical to your culture of security as retraining after someone mistakenly clicks on a phishing email.
Cybercrime is constantly evolving and now AI enables every attack type to scale. Make sure your company and your team do not end up as victims.
If you want more information on protecting your company, reach out to our team at BrightFlow Technologies.