Artificial intelligence and social engineering

Dr Niklas Hellemann at SoSafe explores the growing threat of AI-powered social engineering and personalised cyber-attacks

  

In 2023, Generative AI hit the spotlight as tools such as ChatGPT and Bard became available to everyday users. The excitement over these innovative technologies was only matched by the concern from cyber-security professionals, as they started to hypothesise and uncover how these tools could be used for malicious purposes.

 

We are nowhere near understanding all the threat scenarios that AI can generate, however the genie is already well out of the bottle.  

  

The accessibility threshold for aspiring cyber-criminals is already at a low point, as tools, services, and malicious code are widely available. Criminal enablers have flooded the market seeking to profit from a growing demand, and AI is the next tool they’ll use to accelerate both their output and their efficiency.   

 

In a world of ongoing economic instability, geopolitical turbulence and persistent uncertainties, cyber-criminals are set to unlock a wide array of new opportunities. 

  

Although it’s known that psychologically vulnerable individuals can serve as an open door for cyber-criminals, who possess the knowledge to exploit our emotions and behaviour, it becomes more of challenge to identify who is safe as the attackers’ techniques evolve.

 

In today’s landscape, we see that innovations brought by Generative AI extend beyond mere technological advancements to include potent psychological strategies. This is going to change the threat landscape. We need to prepare for a new era of AI powered social engineering. 

  

Social engineering attacks bypass technological defences

2023 saw no shortage of cyber-attacks rooted in human-related vulnerabilities. One memorable example was the attack against MGM Resorts which saw hackers take down services and steal customer’s personal information during a breach costing the company an estimated $100 million. The hackers danced past multiple layers of expensive and well-maintained technical controls by using public information from social networks to convince the company’s helpdesk to reset a user’s account and allow them access.

 

The simplicity of this attack highlights the importance of the human factor in cyber-security – but also the tendency of many businesses to underestimate the critical influence of human behaviour in shaping the outcomes of attacks. 

  

While the field of technological cyber-security is evolving rapidly, human psychology remains static. Hackers recognise that breaking through multiple layers of technical controls is both challenging and time consuming, so they have identified an easier path – people, who consistently provide a vulnerable and dependable entry point for cyber-criminals.

 

Attackers have become adept at infiltrating our thinking processes to steal our credentials, activate their malware and enter our systems. These malicious actors employ sophisticated psychological tactics to manipulate their targets, capitalising on our weaknesses and specifically creating and exploiting heightened emotions to trigger a response.  

  

And it’s working. Research from SoSafe’s 2023 Human Risk Review shows that one third of users click on harmful content in phishing emails with half of these going on to enter sensitive information such as login IDs and passwords. The most successful subject lines tempting users to open, click or enter personal details were found to be "Damaged car" and "Teams invitation". Employees were found to be particularly susceptible to tactics that triggered emotions such as pressure, authority, and financial appeals. 

  

Generative AI and the UK cyber-threat landscape

With a low barrier to entry, relatively low risk, and high reward, it’s no wonder that the business of cyber-crime is booming. In the UK alone, Government estimates put the annual impact in the region of £27 billion.  

  

Attackers have professionalised and now orchestrate their operations with the precision and profitability reminiscent of large-scale businesses. They provide warranties on malware, helpdesks to assist wannabe hackers, and employ negotiators to broker ransom payments.

 

They also budget for innovation, seeking to get ahead of new technical controls that may impact their steady income stream.  The MGM story again is evidence of this as the attack used psychological tactics to talk their way past multi-factor-authentication (MFA) and deploy ransomware, encrypting hundreds of MGM Resort’s servers.

 

Ransomware is a hugely effective attack, and our 2023 Human Risk Review revealed that 37% of successful cyber-attacks on British firms in the last three years involved ransomware and 38% of these companies paid a ransom to cyber-criminals. 

  

This professionalisation and innovation is only being accelerated by malicious generative AI tools such as WormGPT. These not only accelerate the content creation process, such as writing phishing emails, but also elevate the sophistication and impact of cyber-attacks.

 

Alarmingly, our social engineering team found that AI-generated phishing emails are at least 40% faster to create than the ones made by humans and have an interaction rate of 87% - compared to human made phishing emails at 60%. 

  

Despite these statistics, Generative AI technology is still in its early stages, and its potential for cyber-crime remains largely unrealised. However, as its accessibility and flexibility continue to grow, hackers are poised to further optimise AI utilisation, generating voice and image deepfakes that impeccably imitate individuals, rendering attacks indistinguishable to the public, or busy office worker.

 

We’ve already seen the start of these attacks as an Exec from online crypto firm Binance became aware that scammers had been imitating him online in video calls.  

  

So, while cyber-criminals innovate at an unprecedented scale, employees and everyday internet users find themselves struggling to stay aware of the threats, rendering them more susceptible to emotional manipulation in these uncertain times.

 

Every security professional needs to consider, how can we help with these struggles and empower people to face rising digital threats? 

  

Security in an era of enhanced social engineering 

Regardless of the technological defence infrastructure in place, susceptibility to cyber-attacks and the role of the human remains a constant concern for any business.  

  

To fortify defences, businesses need to develop holistic security strategies, integrating technological and human defences. Employees need support to sharpen their security instincts, which in turn can become an integral part of the organisational security strategy.

 

However, security awareness must go beyond passive knowledge - modern security awareness training is about providing relevant, personalised knowledge, practical exercises, and realistic simulations to build both knowledge and emotional resilience. It’s about creating security cultures within companies and making security a top priority.  

  

In this digital age, cyber-security is no longer the domain of large enterprises. Every organisation is a target either for their own valuables or as a stepping stone to a larger victim. Elevating security to the board level, and aligning security strategies with business goals is vital, but we must not lose sight of the fact that most successful security breaches (74%) focus on the human aspect, not the technology.  

  

The good news is that, just like cyber-criminals use human psychology to attack us, we can use behavioural science and learning psychology as a powerful tool to strengthen our defences and make secure behaviour second nature.

 

If your organisation cares about service uptime, reputation or customer privacy, people-based security must become your singular priority, not just an afterthought.  

 

---

 

Dr Niklas Hellemann is CEO and Psychologist at SoSafe 

 

Main image courtesy of iStockPhoto.com