In their early days, phishing attacks – phishing in French – were generally quite simplistic and consisted of usurping the identity of reliable sources through written communications (e-mail and letters for example), to access sensitive data.
To mark European Data Protection Day, which takes place every year on January 28, we explored how attackers have adjusted their tactics in response to advances in artificial intelligence (AI). With the growing popularity of AI tools, voice phishing attacks, known as “vishing,” have become commonplace.
Organizations are therefore called upon to fight against this development and modernize their IT security.
Phishing, a stage of recognition of a larger attack
Carefully examining the anatomy of an attack allows you to understand exactly the role phishing plays in the malware industry. Ransomware makes headlines when it manages to monetize its efforts, once the payload is delivered at the end of the infection cycle. However, less frequently discussed is the overall infection cycle, which typically begins with a phishing attack.
The reconnaissance stage, in the early stages of an attack, plays an even more preponderant role in the defense strategy. When attackers try to determine an organization’s attack surface, they use phishing to collect confidential personal information. This could include stealing credentials or attempting to download zero-day malware in order to penetrate a particular machine.
As adversaries actively exploit the latest trends, especially AI, to deceive users, businesses must minimize their attack surface and implement advanced behavioral analysis mechanisms.
Phishing attacks are becoming more personalized
The lure for the user has evolved. We are no longer talking about simple email fraud, but much more personalized attacks that use the latest technologies, in particular AI tools. Indeed, users are becoming more and more attentive to traditional phishing campaigns. Hackers have therefore developed new channels and new techniques.
Recently, fake phone calls, or “vishing,” have gained popularity. This technique involves imitating the authentic voice of a senior executive using a voice cloning tool. These tools start by establishing the characteristics of a human voice, then employ AI to train the system to imitate the voice by speaking different messages. Combining this technique with traditional phishing methods creates new challenges for users who must now discern the legitimacy of attacks.
But it’s not just a matter of voice cloning. The latest development in phishing, which will mark the year 2024, is “Quishing”. In this type of attack, a QR code is sent by email. A malicious link was hidden behind the image. This makes the link difficult to verify and security tools generally do not detect it. This phenomenon is particularly at risk for employees who use their personal cell phones. This is because most of these devices are not adequately protected. To counter the evolution of phishing techniques, standard security solutions such as the Zero Trust method are essential. However, the implementation of Zero Trust should not be limited solely to the technological level, it must also be extended to the human level.
Never trust, always verify
Organizations are being forced to adapt their cybersecurity strategies to effectively combat the growing threat of sophisticated phishing and protect sensitive information by implementing a Zero Trust mentality.
Currently, employees over-rely on available security solutions and do not exercise enough caution in the event of suspicious communications. A phone call from someone you think you know, but whose request seems unusual or unexpected, is worth systematically checking. Before taking any initiative, the employee must seek to verify the identity of the person in question. In the modern hybrid work environment, where in-person interactions are not always possible, it is strongly advised to use another channel to verify initial information. For example, in the event of a potential vishing call via WhatsApp, the target is required to pick up the phone, send a message on Slack or use email to verify that the colleague calling it caller is who he claims to be. Furthermore, in the interest of securing accounts and in order to avoid any vulnerability, employees must ensure that they do not communicate their personal data or passwords by telephone or e-mail under any circumstances, even if requested to do so. done. No one internally should be required to use another staff member’s password to access data or assets within the system. So there is no need to share this type of information with anyone else.
Phishing is often the first link in the chain of compromise and should receive more attention, and not just on Data Protection Day. Businesses should be concerned about AI’s new capabilities to improve phishing attacks. Organizations that are aware of these challenges and address them head-on can promote a more resilient cybersecurity culture and effectively safeguard sensitive data. Adopting the Zero Trust mentality at the human level involves training staff not to place implicit trust in a single source of information, but rather to carry out verifications through another communication channel. This principle will be all the more true as AI plays a major role in disinformation and misinformation campaigns in the future.