Identity data has always been one of cybercriminals' favorite loot. With their help, account compromises can be initiated and identity fraud committed. Now ChatGPT & Co are also helping with perfect phishing emails. A statement from Dirk Decker, Regional Sales Director DACH & EMEA South at Ping Identity.
The attackers usually use social engineering and phishing. The success rate of such attacks, mostly based on sheer mass, is limited. Individualized emails and messages tailored to a victim offer significantly higher success rates, but also require significantly more work and are therefore – so far – rather the exception.
ChatGPT & Co help with phishing
Until now, because with the appearance of the first AI-based chatbots, such as ChatGPT, emails and messages on social engineering and phishing aimed at the masses can now also be individualized - and this quickly, easily and effectively. The success rate of a single attack - let alone an entire campaign - can be greatly increased thanks to AI. Because even reply emails, up to longer, highly complex conversations, can be created 'realistically' automatically with AI-based chatbots. To do this, the AI only needs the personal and personally identifiable data of its victims that is freely accessible to everyone on the Internet. She is even able to perfect emails and messages based on the positive and negative reactions of her victims.
Christina Lekati, an expert in defending against social engineering attacks, recently explained what such AI-based attacks on identity data can look like in practice in the article 'ChatGPT and the future of social engineering', which is well worth reading. The TÜV also assesses the emerging development as serious. In its recently published study 'Cyber Security in German Companies', the association explicitly warns against the misuse of AI systems by cyber criminals - also and especially in the context of personalizing and optimizing spear phishing and social engineering campaigns.
Simulate AI-based phishing campaigns internally
In order to minimize the potential success rate of AI-supported campaigns, many experts now advise raising awareness of the problem in the workforce and simulating AI-based phishing campaigns in order to detect potential weak points and contain them in advance. Such preventive measures are all well and good – but they are not enough on their own. More is required – and now also possible. We are talking about the use of verified identity data and decentralized identity management and identity threat detection and response (ITDR) solutions.
In order to minimize the risk of fraud, many companies now require their customers to provide verifiable identity data, digital copies that can be 'certified' assigned to the person by a verifying third party - for example an authority. In order for customers to agree to share such high-quality identity data with a company, the company must first establish and guarantee an increased level of protection for the data.
Decentralized management of digital identities
The decentralized management of digital identities enables them to do just that. With a decentralized identity management solution, the storage, management and sharing of the verified identity data takes place via an encrypted digital wallet on the customer's smartphone. In this way, he always retains full control over his data. He alone decides what he wants to share, when and with whom.
Finally, ITDR allows identification, mitigation and appropriate response to identity-based threat scenarios such as compromised user accounts, compromised passwords, compromised data and other fraudulent activities. Machine learning is used to distinguish between typical and atypical, human and bot user behavior so that countermeasures can be taken at an early stage in the event of a compromise.
In the course of the growing misuse of AI, it is necessary and right to protect oneself more effectively than before against identity theft and account compromises - and thanks to verified identity data, decentralized identity management and ITDR it is now also possible. Next-generation identity management solutions - that much is certain - will no longer be able to avoid these features.
About Ping Identity Ping Identity is a guarantee of secure and seamless digital experiences for all users - without compromise. This is what we mean by digital freedom. We enable organizations to combine best-in-class identity solutions with the third-party services they already use to eliminate the use of passwords, prevent fraud, strengthen zero trust, or everything in between.