While there’s no denying that AI has its advantages, it also comes with its fair share of drawbacks. One of which is its role in making social engineering easier to pull off.
Cyber criminals are beginning to utilize AI software to generate the voice of chief executive officers and fool employees into revealing sensitive information or initiating monetary transfers.
An astounding 82% of cyber security breaches involve a human element, according to a 2022 report by Verizon. Most of those breaches happen through email that pretends to be something it’s not, in a technique known as social engineering.
It could be an email from a colleague asking for login access to a database. It might be a newsletter from a trusted vendor containing a time-sensitive link. Perhaps it’s an urgent text from the CEO asking you to share your password. It can be difficult for employees to discern real communication from these phony emails.
A recent case involving a UK-based energy firm proves its dangers. CEO was speaking on the phone with who he thought was his boss, asking him to send $243,000 to a supplier in Hungary. It was later revealed that an AI software was used to mimic the CRO’s voice, nailing his German accent and speaking melody.
To be safe, organizations need a strong defense against all kinds of social engineering attacks. To get you started, we explain social engineering and present the eight best methods your organization can use to prevent social engineering and data loss.
What is social engineering?
You’ve heard about telephone scams where a fraudster convinces someone to send money to help a friend or relative in need. That’s what social engineering is, and it can happen over the phone, by text, or online. The key to social engineering is the manipulation of common social relationships, everyday communication, and human emotions.
Communication that feels legitimate is thwarted by “human hacking.” When social engineering is successful, cyber criminals trick people into doing something they shouldn’t, like clicking a malicious link in an email, visiting a fake website, or sharing secret information.
Cyber attackers usually want personal data, like credit card or bank account numbers, to steal money. They also want login credentials to gain access to corporate networks, which are prime targets for ransomware attacks.
How AI is Being Used to Carry Out Social Engineering Attacks
AI is clearly becoming a problem for companies worldwide as cyber attackers are beginning to utilize it to prey on their employees and initiate an attack. The recent incident of AI mimicking an executive’s voice is not the first time it has happened, but it is the first incident that clearly drew on AI.
The issue of AI being utilized to carry out a cyber attack has been a hot topic, especially with the launch and popularity of ChatGPT, which has been proven to be able to write malware code and phishing emails.
AI, in this case, is a threat, and an uptick in it being utilized to carry out attacks is highly expected. From mimicking CEO’s voices through commercial voice-generating software to writing hard-to-detect malware, it’s clear that machine-learning technology is making cyber crime easier, and organizations must be more vigilant.
8 Ways to Block Social Engineering Threats
While AI is quickly posing a threat to cyber security, it can also be utilized by companies to fight cyber threats. To prevent becoming a victim of social engineering initiated by AI, organizations need a multi-pronged security strategy to circumvent social engineering attacks and bolster their perimeter.
Employees, IT personnel, and the systems you run should all be involved. Implement the strategies below across your organization and share them with employees, friends, and family members to get security savvy and feel better protected online.
1. Provide Security Awareness Training
Much of human instinct is hardwired. That’s what makes social engineering so effective. Responding to a friendly request for information feels natural and helpful. End users need to learn new behaviors when they open emails and communicate online for organizations to protect themselves against social engineering’s fraudulent requests. They need to re-train their deepest human instincts.
Cyber security awareness programs are instrumental in this. Some, if not most, employees don’t have knowledge of what cyber attacks and techniques might await them in their inbox. They need up-to-date information, examples, and scenarios they can relate to. A great program teaches cyber security knowledge in hands-on workshops and keeps that knowledge current through reminders, newsletters, and signage.
2. Enable Multi-Factor Authentication
Passwords used to be a great way to protect systems and limit account access. Ideally, they’re something only you know. However, cracking passwords is now child’s play for capable cyber attackers.
Multi-factor authentication helps by adding one more layer of protection. If a skilled cyber attacker does get their hands on your employee password, they can’t use it to gain entry without a second authenticating piece.
Passwords are something you know. Add protection from one of two other categories: something you have (phone, authenticator app) or something you are (thumb or voice print).
3. Impose Strong Social Media Policies
Cyber attackers often direct phishing emails to owners of social media accounts in an attempt to take control of them. Then, posing as the account owner, they can easily target friends and colleagues to gather more sensitive information.
To reduce the chance of social engineering over platforms from LinkedIn to TikTok, you should impose social media policies that impose safe sharing practices and limit message settings to authorized friends.
Related reading: 19 Examples of Common Phishing Emails
4. Verify Sender Identities
In the Verizon breach report, a technique called "pretexting" caused 29% of social engineering attacks. In this tactic, cyber criminals send fake emails from trusted entities—vendors, contractors, and financial institutions—to solicit confidential details or credentials.
Train your employees to hit "pause" before responding and contact the vendor to see if the request is legitimate.
5. Look for SSL Certificates
A quick look at the URL bar can provide a powerful layer of protection against social engineering attempts. Secure, encrypted site addresses have SSL certificates and begin with https://. They also display a padlock icon. Unsecured sites give themselves away, lacking the padlock and beginning with http://. If a website doesn't have those security signs, avoid it.
6. Run Social Engineering Simulations
Practice makes perfect, and security awareness is no exception. Putting the lessons learned in security awareness training to work in simulations gives employees the confidence to know how to detect different kinds of social engineering attempts and the skills to negotiate them. Running tests also generate critical insights. Training firms can dig into the data, identify gaps and help you address them.
7. Introduce Strict Policies Around Financial Procedures
Since many cyber criminals are motivated by financial gain, financial transactions are a prime target of social engineering attacks. Technical barriers like firewalls and anti-virus software won't help in these situations. Instead, organizations need to develop strict procedures around money transfers and payments. No one wants to be the employee that accidentally sends a payment to a cyber attacker's account. Employees feel assured when policies are in place to guide their actions, and they know they're sending money only where it's supposed to go.
8. Use Spam Filtering
Since the bulk of social engineering attacks happens through email, organizations need to have high-quality spam filtering in place. Though the amount of spam has diminished over the years, data shows that nearly half of all email traffic (45.56%) in 2021 was still spam. Directing your IT team to cut as much spam as possible will curb the majority of social engineering emails before they reach your employees.
Curb Social Engineering Attempts with Security Awareness Training
Given today's breach statistics, the best defense against social engineering attacks prioritizes the human element. A solid cyber security awareness training program will inform your employees about evolving social engineering attacks and teach them how to recognize different tactics. Alongside those measures, it's essential to keep your technology up to date and maintain strong security policies.
Cyber Security Hub: Access Exclusive Cyber Security Content
How secure is your organization against social engineering attacks? For more resources on how to protect your data, get the latest security essentials in our Cyber Security Hub.