Phishing has always been a prominent attack vector, skyrocketing as traditional hacks became more complicated. Even worse, hackers have begun perfecting their tactics to make them more reliable and damaging.
One of the most dangerous variants is social engineering, and with the help of AI, it's now becoming increasingly sophisticated. Let's discuss how AI is changing social engineering's playbook and how to protect yourself from harder-to-detect attacks.
What is social engineering?
Social engineering is a cyber attack focused on tricking the victim into believing the criminal is someone they know and trust. The hacker will then request important information like passwords or fund transfers to their account.
These attacks have become highly sophisticated with the advent of social media since these platforms have made it easy for hackers to uncover personal or work-related information. Hackers use this data to convince their victims they are their friend, family member, or coworker.
These attacks also often rely on a sense of urgency, making the victim feel pressured to act swiftly without questioning the authenticity of the request, thereby increasing the chances of successful deception and exploitation.
A Few Social Engineering Statistics
Social engineering attacks are rapidly increasing, and nothing puts it in perspective better than the following statistics:
- According to the Information Systems Audit and Control Association, social engineering was the #1 attack vector in 2022.
- According to IBM's 2022 Cost of a Data Breach report, the average cost of a social engineering attack is $4.55 million.
- The same IBM report says that social engineering attacks can take up to 270 days to be detected and contained on average.
What has changed in social engineering?
The most significant change to social engineering attacks is undoubtedly the arrival of social media. Platforms like LinkedIn can be especially problematic since anyone can look up the employees of a company, their job titles, and work history.
This simple information allows hackers to craft detailed emails that can fool even the most prepared employee. Social media platforms have also become a frequent theatre of action as people rely on them increasingly to find answers and support from businesses.
Some hackers even rely on multi-pronged attacks using numerous communication methods to build trust with their victims. For example, criminals will send an email requesting funds and quickly follow up with a phone call referencing the email before the victim can call the legitimate phone number.
The Rise of AI in Social Engineering
Another troubling technological advancement relating to social engineering has been AI. While this technology has been used for some time in hacks, it has recently become widely available for anyone to use.
Not only are AI tools easy to use, and most are free online, but they can also craft various media types used to fool victims. For example, emails from a person can be fed into an AI tool to reproduce their writing patterns. AI tools can also make convincing voice reproductions for phone calls or voice mails.
Top 3 Techniques
While social engineering is a varied attack that is constantly evolving, three main attack vectors are gaining in popularity at the time:
Vishing
Vishing is a voice-based version of a phishing attack. Traditionally, these attacks have been made posing as government entities or banks. The victims usually trust these institutions and would not recognize the voice of their employees anyway.
However, recent evolutions in the field of AI have made vishing far more dangerous than it has ever been. Using voice data from videos, ads, or webinars, hackers can reproduce the voice of a victim's boss, for example, to extremely high levels of fidelity.
This voice model can then be trained to request personal information or fund transfers.
Angler phishing
This attack was born out of the increased presence of brands on social media to provide tech support to their clientele. Hackers create fake accounts posing as the brand to collect sensitive information from customers or even steal money from them.
In more advanced versions of this scam, criminals will use the victim's social media accounts and photos to get an idea of the order date of an item to appear more believable.
AI-Assisted Phishing
Similar to how AI has improved vishing, traditional text-based phishing benefits from AI assistance. Hackers can reproduce the writing patterns of anyone through data collected from blogs, emails, and social media posts.
Combined with urgency and other methods like vishing, these attacks can be difficult to detect.
Staying Protected from Social Engineering
Social engineering can take many forms and, for that reason, requires several protection methods to be thwarted.
Software protections
Email filtering software can be a valuable tool to catch a large portion of these attacks since they often originate from email addresses with sketchy, easily recognizable domain names that can be filtered out by even the most basic of email software. More advanced email security software can even use AI to analyze text and identify keywords linked to social engineering to provide warnings to users. Similarly, domains can be analyzed by software to determine their validity.
In-person guardrails
Social engineering attacks target people during their work hours, asking for a seemingly routine task such as transferring funds or restoring a forgotten password. Criminals hope that their victims will act on autopilot and simply execute without checking. Adding physical verification to certain tasks is the most effective way to catch these attacks. For example, requiring a physical signature or a phone call to the person requesting the task.
Cyber security awareness training
By far the most impactful solution, cyber security awareness training has the most lasting effect against social engineering. It is also the most flexible protection since you can easily adapt and update the content of these classes as attacks like social engineering evolve. The most important part of protection against social engineering is being aware and mindful of signals. Once users are trained to recognize the patterns and manipulation techniques used by these criminals, these attacks are relatively simple to detect.
Protecting the Human Factor in Social Engineering
Like most modern cyber attacks, social engineering targets the final frontier: The human factor. The complexity of the human mind allows hackers to use techniques that are almost imperceptible to the human eye or ear. However, just like companies can release patches to fix their software, you can improve the cyber security awareness of your employees. But simple periodic classes aren't enough to fight a deep issue like social engineering. To combat this problem, companies must build a cyber security-aware culture that spans the entire organization. 
Once employees understand they have a duty to protect their work data, social engineering loses steam quickly. But before you do that, you must understand your users' attitudes toward cyber security. Discover what employees think about cyber security awareness, starting with this free report.
