Email Hygiene: Looking for Phishing emails in the age of AI
Recently emails have been becoming harder to detect because of AI. However, I wanted to remind everyone that there are still ways to see phishing emails by looking at emails critically in the age of AI phishing tools.
Background: Phishing and AI tools seen till now
Since ChatGPT appeared, companies like Google, Facebook, and Microsoft have been looking for ways to enter into the AI market of prompt tools or software that can assist users in speeding up their work. Microsoft made the first big move by partnering with ChatGPT’s creator, OpenAI, to integrate ChatGPT into Microsoft’s search engine Bing. Microsoft also made announcements to integrate Artificial Intelligence into all its Office products such as Word, PowerPoint, and Excel. AI is now the front-runner for any technological innovation. But the question is, where is AI being used for malicious purposes? Is “Skynet” upon us? Will we no longer need to think for ourselves and allow AI to think for us? The first place AI was found to be used on behalf of APTs and malicious actors is phishing. Say goodbye to the Nigerian Prince and say hello to what sounds be is your grandma.
It is already here.
The first attack I wanted to discuss was how AI is being used in Audio or “Voice Cloning” attacks. McAfee report that a study conducted found out of seven thousand individuals, one in four either knew of or experienced an AI voice cloning scam. “With a small sample of a person’s voice and a script cooked up by a cybercriminal, these voice clone messages sound convincing. 70% of people in our worldwide survey said they weren’t confident they could tell the difference between a cloned voice and the real thing.” (Bunn, 2023)
From a short audio example, attackers can mimic a person’s voice and call the victim’s family by spoofing the caller ID or using a legitimate phone number. Individuals will pick up the phone expecting to hear the familiar voice, which they do, and immediately trust the voice most of the time. A grandmother in Canada was recently a victim of this type of attack when her “grandson” called, saying he needed bail money for rear-ending a pregnant woman in a car accident.
This is the future of AI phishing. Not only are we listening to AI voice clones of our loved ones, but also on email.
You’ve Got Mail.
Email systems are always one of the first vectors attackers will use to help spread malware or ransomware to an unsuspecting victim, allowing ATPs and malicious actors to wreak havoc. “According to a recent report published by Safety Detectives, email accounts for 92% of malware security incidents and 90% of all cyberattacks. Similarly they estimate that 38% of malware currently arrives disguised as a Microsoft Word file.” (Hendler, 2023)
But there is still hope! Here are some surefire ways to still detect whether that newly convincing email you just received may be a malicious attacker:
1. Be Vigilant and Skeptical:
Treat all incoming emails, especially from unfamiliar resources, with caution. Be skeptical of all emails that create a sense of urgency, request personal info, or use alarming language
2. Verify the Sender’s Identity:
Check the email sender’s address carefully. Look for any misspellings or slight variations that may indicate impersonation. Hover over links without clicking on them to see the actual URL. Ensure it matches the displayed text and appears legitimate. Finally, be cautious of emails from well-known organizations but use generic email services (e.g., Gmail, Yahoo) instead of official domain emails.
3. Think before sharing personal information:
Legitimate organizations request personal information, account credentials, or sensitive data via email. Avoid providing personal information such as passwords, Social Security Numbers, or financial details unless you know the email’s authenticity. If an email requests sensitive information, independently verify its legitimacy by contacting the organization through trusted channels (official website or phone number) instead of using the contact information provided in the email.
4. Strengthen your cybersecurity measures:
Use things like Anti-Virus or Anti-Malware software on your devices to keep them updated against the latest threats. Enable spam filters and security features provided by your email provider to help detect and filter out common phishing emails. Regularly update your operating system, web browsers, and other software to patch security vulnerabilities. The last and most crucial method is using 2FA on all your personal and work-related accounts to prevent anyone from using just your password to log into your bank or Netflix account.
What next? Are we doomed to AI phishing emails?
Now AI is not just on the Dark Side, but the force is also strong on the other side. Companies are well on their way to providing tools and detection systems to know whether an image, piece of text, or person is real. Right now, you can help thwart AI voice calls cloning your voice by talking amongst your family about what to ask each other if you find yourself on a phone call with a loved one asking for money or assistance. Maybe a safe word perhaps? All in all, people need to stay vigilant more than ever now because of the rising sophistication of technology, getting closer and closer each day to replacing us, “duh duh duh.” But fear not. Next week we’ll talk about where AI is being used on the defense side for cyber security professionals against malicious actors and APTs.