September 16, 2024
Article

Social engineering has got a high-tech upgrade – have you got a response?

Social engineering preys on human trust and psychology. Hackers manipulate employees into divulging sensitive information or granting access to systems. It's effective because it bypasses even the most robust firewalls – it targets the human element.

“Hi Alice,

I received the attached invoice from the sales team last week, but I’m having trouble understanding the costs, in particular items 5 & 6. Could you please take a look at them and explain how this total was achieved?

Many thanks,

Rob,

Head of Procurement”

Many of us receive emails similar to the one above on a daily basis, as a normal part of business. This is an example of a spear-phishing email that was opened and resulted in a large ransomware attack. The sales representative was only doing their job, but the PDF displayed as ‘broken’ and sent them to a link that contained an encrypted zip file, that resulted in a download of ransomware, that very quickly took down a multi-national business.

Targeted phishing (Spear-phishing) can be very effective but does require some effort from threat actors to tailor emails to the client, or even spoof the emails to make them look like they have come from legitimate clients.

But here's the worrying trend: social engineering is getting a high-tech upgrade with the help of Artificial Intelligence (AI).

AI-Powered Social Engineering

AI is making social engineering attacks more targeted, efficient, and dangerous. Gone are the days of receiving a letter regarding a long-lost fortune that requires you to send a cheque to release. Attackers are getting smarter, utilising technical improvements to fool humans and rely on our natural instinct to trust. Here's some examples how:

  • Deepfakes: These have been used maliciously in the past to create fake videos of celebrities, or important people in acts that are completely fictitious, for example heads of states seemingly giving out false information. Attackers are using AI-generated video and voice mimicry in real time, to fool people into believing they are getting a call from their line manager, loved one or similar. These can create a powerful sense of urgency and trust, luring employees into clicking malicious links or sending money to loved ones in need.
  • Social Media Scraping: AI-enabled tools can trawl through social media platforms to build detailed profiles of employees. This allows attackers to personalise phishing attempts, mentioning hobbies, colleagues, or even recent work trips to make the emails seem more legitimate. Commercial tools can automate this data collection process, and when paired with malicious tools like Worm GPT, attackers could automatically generate thousands of spear-phishing emails to target many individuals in a company, with their own bespoke email.
  • Language Automation: AI can craft convincing phishing emails that bypass spam filters. These tools can analyse previous successful phishing campaigns and use that data to write emails with the perfect tone, urgency, and language to trick the recipient.

Protecting Your Business from the Evolving Threat

While AI presents new challenges, the core principles of defence remain the same:

  • Employee Awareness Training: Regular training can equip employees to identify red flags in emails, phone calls, and even in-person interactions.
  • Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it harder for attackers to gain access even if they obtain login credentials through social engineering.
  • Security Culture: Foster a culture of security awareness within your organisation. Encourage employees to report suspicious activity and avoid clicking on unknown links or attachments.
  • Open Source and Dark Web monitoring: Knowing if your company has credentials leaked, or any other valuable information out on the web, is a good way to be aware of potential weaknesses in the business, and act early, before the damage is done.

Social engineering isn't going away, but by staying informed and implementing strong security practices, you can make your business a much harder target. Don't underestimate the power of a well-trained employee – they are your best defence against even the most sophisticated social engineering attacks.

Stay secure, stay vigilant! If you would like to learn more about how CCL can protect your organisation, contact us today.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch