A message warning about the temporary suspension of a bank account, another reporting an undelivered package, and one announcing the obtaining of a gift card. In addition, they include a link that asks the user to enter their personal data. However, none of them are what they seem. They may all be examples of social engineering, a set of manipulation techniques designed to deceive people and obtain benefits from the deception. Mechanisms that, with the recent rise of social engineering, are becoming increasingly common. generative artificial intelligencehave increased both in number and complexity.
Until now, carrying out a phishing attack, one of the most common social engineering attacks, required an exhaustive investigation of the victim that had to be done mainly manually (slow and expensive), so these attacks were less frequent. However, generative artificial intelligence capabilities make it possible to automate this search and carry out targeted attacks on a massive scale. In fact, phishing attacks promoted by generative AI have increased by 60% worldwide between January and December 2023, according to a report by Zscaler, an American cybersecurity company.
In addition, there is another key aspect: Generative AI makes it easy to instantly create messages worded in a way that looks legitimate and that they are more likely to deceive victims, either through emails, calls and SMS that pretend to be legitimate entities such as a social network, a bank or a public institution.
How does artificial intelligence affect ‘phishing’?
The Internet is an environment in which scammers do not have to expose themselves physically to carry out their attacks, which gives them a comfortable feeling of security. There are also many ways to automate tasks, which means that criminals can affect astronomical numbers of potential victims almost effortlessly.
For this reason, the Social engineering through the Internet has not stopped evolving along with the digitalization of companies and people.. Although initially it was only done through emails (what is known as ‘phishing’), new channels have been progressively incorporated into the deceptions, such as instant messaging systems and social networks (‘SMShishing’), the USB flash drives stray (‘baiting’), the phone calls (‘vishing’), and more recently QR codeswhich are increasingly present in both the physical and digital environment (‘QRishing’).
Over time, social engineering attacks have also become increasingly sophisticated. At the beginning, they consisted of mass sending of messages with very general content, but they have been increasingly refined, targeting specific groups and dealing with topics adapted to that group, so that the deception is much more difficult to identify.
In this way, the ‘phishing‘ is disguised as a message apparently coming from a real contact, or simulates a message corresponding to a real process in the victim’s company, for example. This is what is known as ‘targeted phishing’, or commonly in its English term ‘spear phishing‘. And, although targeted phishing emails represent only 0.1% of all emails sent, these are Responsible for 66% of all security breachesaccording to a report by Barracuda, an American security company.
As a result, cyberattacks received in Spain have increased significantly. In 2023, they reached a Record number of 107,777 incidents recorded, which represents an increase of 94% compared to 2022, according to a report from the National Cryptological Center (CCN). For this reason, cybersecurity is the problem that most concerns 48% of Spanish companies, which have increased their budget for information technicians by 4.7 million euros, according to the Cyberpreparation Report of the insurer Hiscox.
The objectives of social engineering have also evolved over time. Although at first they were mainly looking for information easily convertible into money, such as bank passwords, or directly trick the victim into making a payment to the attacker, with the improvement in user identity verification systems, such as biometrics, increasingly the objective is to install malware on the victim’s device that allows the attacker to gain control and access from it the tasks you consider.
