Phishing tactics are changing, and not for the better. At least, not for users. And AI is leading the charge in making vishing, smishing, and even spear phishing attacks more dangerous than ever.
But is that all we have to worry about? They are leveraging artificial intelligence to its fullest potential, pushing the boundaries of what we once thought possible. Nowhere is this advancement more evident or rapidly evolving than in the realm of email-based attacks.
Let’s explore some of the more advanced and lesser-known techniques phishing attacks are using to disrupt the cybersecurity landscape and why partnering with a phishing awareness training provider that can stay ahead is essential.
Stay Informed on the Latest Phishing Tactics
Thanks to AI, attackers are playing hard ball when it comes to duping us through our inboxes. While we once may have had the advantage of recognizing tell-tale bad grammar, sloppy copied logos, or weird URLs, AI is making all of those disappear. Unfortunately, the relevance of many outdated security awareness training (SAT) programs is going along with them. Phishing today is more a living, breathing thing than it ever has been, and unless AI is ready to hit its limit (we doubt it), it will continue to evolve. This underscores the need for a continuously updated, real-time phishing training provider in today’s enterprise environment. Here are some of the reasons why:
Deepfakes
AI is leveling-up phishing with deepfakes to be proud of. Not only can they imitate someone’s likeness and voice but using the data which treacherous AI models can scrape off social media (and other internet avenues), these vides can even pull in relevant personal details which make the “person” sounds just like themselves. While a face-to-face call with Elon Musk might be easy to sniff out, things like real-time romance scams and terrifying calls from loved ones in the middle of the night might not be. What does this have to do with phishing scams hitting your inbox at work? More than you might think.
Being aware of these tactics can heighten your vigilance when your “boss” urgently calls from an airport asking for a wire transfer, or when a longtime LinkedIn connection sends a distressing video claiming they need help. Any entrance into an employee’s device, system, or trust can be exploited to widen the opportunity until the attacker finds an opening into the organizations network itself, especially with how many personal devices are being used for work these days.
Perfectly written AI-crafted scams
Like we mentioned earlier, no longer can we spot a fraudulent email by grammatical mistakes and unnatural verbiage. AI now can “speak” over 1,000 different languages (fluently, by the way) and it has no qualms about using its expert linguistics to dupe users out of a bit of personal information. A recent survey reveals that AI was central in creating 40% of business email compromise (BEC) attacks in Q2 of last year.
This research indicates that the next wave of BEC attacks could see attackers leveraging AI to analyze and exploit real-time data, crafting highly personalized and convincing scams that are nearly indistinguishable from legitimate messages. In other words, AI will be so advanced at "thinking on its feet" that you might unknowingly be interacting with an AI-powered phishing bot posing as a vendor, coworker, or even your boss. Are your users prepared to spot these threats? And are they aware that such capabilities are on the horizon?
URL masking
But what about those tricky URLs? Even if we fall short in recognizing the language of phishing scams, fall for the convincing video link, or respond to an email that really does sound like it’s our boss (it even referenced her favorite hockey team), can’t we always rely on a good, convoluted link to ultimately give it away? Not so much anymore. Tricks like URL masking and URL redirection (also known as open redirection) can do one of two things.
In the case of URL masking, attackers can literally hide the actual web address (the suspicious looking one) and make a legitimate looking one pop up in your address bar. With URL redirects, phishers can slide by email scans with URLs that are totally clean. However, once you click, that clean URL re-routes you to a dangerous, often spoofed site where you are likely to enter your credentials (Microsoft account update, anyone?). Also, beware of URL rewriting, which steals a page from security email gateways (SEGs) and wraps malicious URLs in “safe” (but really, compromised) new links.
Creating a Security Current Culture
Now is not the time to fall behind. Attackers are having a heyday with all the new technology available for hacking. What ransomware-as-a-service (RaaS) did for ransomware, AI is doing for phishing, BEC scams, and social engineering – and then some. Even today’s malware is changing shape in real-time (though that’s not necessarily breaking news), and the pattern is clear: Cybercriminals are going to look to outstrip current security measures in any way they can.
That’s why organizations need to stay current with the latest security measures, and that goes for security awareness training, too. If updating antivirus tools to endpoint solutions is necessary, then updating outdated SAT modules for state-of-the-art phishing awareness training is just as needed, if not more.
Attackers are finding it harder to get through advanced email defenses (that’s one point for defenders), so they are changing tactics to hit us where it still hurts – our untrained users. Using outdated SAT courses will only keep users further behind.
Advanced Phishing Awareness Strategies to Combat Modern Threats
If it’s been a while since you’ve been in the security awareness training market, there’s some exciting developments you should know, especially when it comes to teaching users about phishing. Fortra Security Awareness Training bridges the gaps between where SAT training was and where it needs to go to keep up with modern-day phishing threats (and more). Here’s how it’s making an impact:
Real-world phishing simulations
Users are not only trained, but they’re also tested with real-word phishing scams. Progress is tracked, so administrators can identify weak points and help users improve. With Fortra Security Awareness Training, employees can get hands-on with phishing simulations and see what today’s attacks would look like if they ended up in their inbox.
An extensive library of engaging learning styes
Remember those “read a page, do a quiz” modules that are indicative of so many HR training courses throughout the years? This isn’t that. Modern phishing awareness training engages everything from gamified learning (for those competitive types) to cartoon characters to live actors and more. Fortra Security Awareness Training is built for a number of adult learning styles and takes learning best-practices into account.
Hassle-free deployment
If your phishing awareness training platform takes up a lot of space, is clunky, or fails to integrate seamlessly, it’s probably outdated or not optimized. The point is to meet busy, working companies where they’re at and help them get faster via great security processes, not slow them down. Fortra Security Awareness Training puts a heavy-duty learning management system (LMS) into a lightweight SaaS option that is SCORM-compliant.
A deep range of security topics
Phishing security awareness training is important, but phishing is just one part of a company’s overall security environment. To give employees the full picture (and expand on topics learned), Fortra Security Awareness Training offers training courses on everything from identity theft to protecting payment card data, preventing insider threats, and more.
Cybercriminals are never going to stop innovating, so organizations can’t afford to stop training their employees to recognize their techniques. Phishing awareness training is not only an essential first step, but an essential ongoing step in keeping users ahead of the malicious curve.
For more ideas on how to improve your level of security awareness, check out Fortra’s Security Awareness Training: The Definitive Guide.