Phishing is no longer just that poorly written email from the "Nigerian prince." Generative artificial intelligence has given attackers the tools to create social engineering attacks that are virtually indistinguishable from genuine communications.
The Evolution of AI-Powered Phishing
According to the Anti-Phishing Working Group (APWG), phishing attacks reached a record 4.7 million attempts in 2023, and AI-assisted attacks are the most effective. Attackers use language models to:
- Create personalized emails that perfectly mimic the tone and communication style of an executive or vendor
- Create clone websites Pixel-perfect integration with banks, cloud providers, and enterprise tools
- Translate attacks grammatically correct translations into any language, including Latin American Spanish
- Automate recognition by analyzing LinkedIn profiles, social media, and corporate websites
Deepfakes: When You Can No Longer Trust What You See and Hear
Audio and video deepfakes represent the next frontier. Real-world examples include:
- Vishing (voice phishing): In 2024, a Hong Kong company lost $25 million when an employee received a deepfake video call from its "CFO" authorizing a transfer.
- Audio deepfake: A CEO of a UK energy company was tricked by a deepfake call that mimicked his boss's voice, resulting in a loss of 220,000 euros.
- Real-time deepfake video: Accessible tools now make it possible to generate deepfake videos during video calls in real time.
AI-Powered Business Email Compromise (BEC)
BEC—where an attacker impersonates an executive via email to authorize transfers—already results in $2.7 billion in losses annually, according to the FBI’s IC3. With AI, these attacks are more convincing: the attacker analyzes weeks of communications to replicate the executive’s exact writing style.
How to Protect Your Business
- Regular phishing simulations: Send simulated phishing emails to your employees every month and track the click-through rate. Train those who fall for them.
- Out-of-band verification: For any financial or access-related requests, please confirm through a different channel (if you receive the request by email, please confirm by phone).
- Advanced email filtering: Use solutions that analyze content with AI, not just known signatures.
- Authorization Protocols: No employee should be able to authorize significant transfers without dual approval.
- SOC Email Monitoring: Detect BEC and targeted phishing patterns before they reach the end user.
- Security keywords: Establish verbal codes with executives to verify identity during sensitive calls.
