Fight AI With AI: Automated Spear Phishing Attacks Powered by Artificial Intelligence

By Joshua Crumbaugh, Chief Technology Officer, PhishFirewall

In the world of cybersecurity, it’s a never-ending battle. Hackers are always finding new ways to break through your defenses and steal your data. But now they’re using AI to do it. This blog post will explore how hackers are using AI for phishing scams so you can stop them before you’re the next victim.

Spear phishing continues to be the greatest threat organizations big and small alike face, as it is hard to keep up with all the new scams and tricks. The trouble lies in not just identifying these attacks but stopping them before they happen. Understanding how these schemes work can be very beneficial and is strategically imperative!

The next generation of hackers are using artificial intelligence as a force multiplier to craft spear-phishing emails that appear as if they’re from established corporations, such as Amazon, Netflix or your company.  100% of Fortune 50 companies have acknowledged this as the greatest current threat facing their organizations in protecting themselves against spear phishing attacks.

Hacking has been around for a long time, but it’s never been more appealing. Hackers exploit people using OSINT (open-source intelligence) or information publicly available on the internet about victims and organizations to automatically target individuals in a provoking psychological manner to infect victims with malware and ransomware. As we all know, these attacks can be financially and reputationally ruinous.

The problem is that hackers have figured out how much value AI can add to their phishing scheme. As you may know, it’s often an easy win for attackers if any organization falls victim and gets fooled by this kind of scam. To protect against AI phishing, we must use it as a countermeasure. A recent study found that hackers are actively using machine learning and deep fakes to hack organizations through spear-phishing attacks.

I’m an academic peer-reviewed published author on this subject and have conducted extensive research on preventing phishing attacks. My biggest takeaway is that the best way to prevent attacks is by simulating them with just in time education where you apply science and learn from experience, or rather “use your mistakes as feedback for future endeavors.” This creates what I like to call “human virus definitions,” and it’s great because when these flags pop up, the subconscious tells users that there is an incoming threat.  When this happens people rarely question their subconscious, so they move on without giving it thought.  This is the best way to get results and it’s scientifically proven.

Cybersecurity awareness is not as complex as it may seem. We’re just making the problem harder than it needs to be with our outdated learning tactics that are based on methodologies from decades ago.  Let’s be honest, awareness is simply a CMMC compliance checkbox for most of us butif we want people to take cybersecurity seriously, then we need more balance between education and entertainment so they can understand this concept in an entertaining way instead of being bored by something too complex for them to comprehend. I know when I’m planning my education I try to make as fun as possible. And I know what you’re thinking: “Edutainment doesn’t work!” You’re correct, Edutainment doesn’t work. But true entertainment does! It triggers an emotional response and chemical reaction in the user’s brain that anchors the lesson in their memory. I believe that if the subject matter is essential, it should trigger an emotional response.

The bad guys have always been a few steps ahead of the defenders, and this time is no different. It’s not just because they’re using new tactics or technology, but also due to their crafty mindset that we should consider when preparing our countermeasures against these threats!

In the end, people are a lot like computers. They’re difficult to train and easy to program – because of this, we must use psychology as our countermeasure in order to achieve any tangible results! A lot of research has gone into both learning theory (the science) or behavioral modification techniques which adversaries such as hackers and nation-states will employ against us; there’s no other choice but to fight fire with fire if you want victory over these foes…and sometimes even going up against another form of intelligence could help: take an example from ancient Rome where Julius Caesar would fight Gallic warriors not by weaponizing himself, but rather through tactics derived solely from reading their movements on the ground.

Not everyone is the same. The bad guys get this, and that’s why they’re using AI to target your individuals with tailored messages, and don’t be fooled–it’s super convincing! So, for me to make my next point, I’m going to have an artificial intelligence write out my closing paragraph.

To do this, I feed it the content of this blog I’ve written so far, and the AI does the rest.  It quickly generates three pieces of copy for me to choose from, and I chose the following…enjoy!

We need to start thinking about security awareness as a proactive measure. The threat of phishing is real, and we can’t just be reactive anymore. The problem is that over 95% of malware and ransomware getting into organizations starts with a phishing attack. We need to get organized around phishing and plan an effective strategy to prevent our users from falling victim in the first place, and our users have got to be current on the threats. This means that we have to get them engaged, or our message is lost to deaf ears! If you’re not sure where to get started, reach out for help from one of our experts who specialize in the psychology behind cyber threats. You’ll learn how to craft an effective strategy that keeps your users safe by understanding their vulnerabilities and respecting them enough to make it easy for them to do what’s right when they don’t feel like doing anything at all!

You didn’t really think that would be my closing paragraph, did you?  I think that paragraph is absolutely brilliant, and I may be replacing my company’s copywriter tomorrow.  I especially love the sales pitch it threw in at the end and I cannot be held responsible for the actions of this AI.  😉

The cybersecurity industry is evolving rapidly and cyber-attacks are becoming more sophisticated.  Hackers continue to find new ways to exploit vulnerabilities in systems, networks, and applications. This means that there’s never been a greater need for organizations of all sizes to be proactive about their security posture before the attack happens. One way you can stay ahead of these threats is by using AI technology like machine learning or deep fakes, which uses neural network algorithms with deep learning techniques to conduct global targeted interactive phishing campaigns at a faster rate than any human could ever do on their own.

When it comes time for your organization’s next round of cyber-defense planning, don’t forget about how advances in artificial intelligence have changed the game and the need for our methodologies and tools to keep up with the tactics being used by our adversaries.

The internet can be a scary place, and it’s not just because you have to worry about people hacking into your computer. There are plenty of scams out there that will steal your personal information or money with the click of a button. You never know what might happen if you don’t “think before you click!”

Joshua Crumbaugh
Chief Technology Officer


About Joshua:

Joshua Crumbaugh is one of the world’s most famous hackers.  He’s an engaging and internationally respected cybersecurity subject matter expert, published author, and keynote speaker. During Joshua’s ethical hacking career, he has never encountered a single network that could keep him or his teams out. He uses these experiences to educate and entertain audiences with real life hacking stories that captivate the audience.  His experience in all things social engineering led him to realize something had to change. This realization led him to found PhishFirewall.

About PhishFirewall

PhishFirewall is the world’s first fully automated AI-driven anti-phishing solution. We personalize education, training, and phishing simulations to dramatically lower phishing risks. Our product has been designed to help organizations significantly reduce their level of exposure to ransomware attacks by using artificial intelligence insights that find and correct individual phishing vulnerabilities. Unlike other anti-phishing solutions on the market today, our product drives click rates well below 1% – even for those with a high propensity for clicking.




Hot Topics

Related Articles