In the early days, phishing attacks were often very simple and used legitimate sources of written communication such as email to gain access to sensitive data.
In the age of AI, it is tempting to consider how attackers are modernizing their phishing methods. With the growing popularity of GenAI tools, voice-based phishing attacks – also known as “vishing” – have become the new norm and the evolution of attack methods continues.
Phishing as a springboard
To understand the importance of phishing in the malware industry, it helps to look at the anatomy of an attack. It is usually successful ransomware attacks that receive all the media attention. However, the successful placement of blackmail Trojans is already the end of an infection cycle that leads to the dreaded ransom demands or data loss. The preparation phase of such an attack is much less in the spotlight, although the defensive strategy should already begin here. In the victim scouting phase, modern phishing methods play a significant role that IT organizations must respond to.
Phishing mechanisms play a role when malware actors determine an organization's attack surface. The focus of interest is often personal access data or the placement of zero-day malware in order to gain access to a system. Since attackers are also relying on the AI trend for their deceptive maneuvers, organizations must strengthen their defense mechanisms, for example using modern behavior-based malware analysis techniques.
Personalized phishing attacks
The range of victim baits has evolved from simple mass-audience email scams to personalized attacks. As awareness of traditional phishing campaigns has increased through training, adversaries have discovered new channels and techniques. Accordingly, fake phone calls and vishing have increased recently. The real voice of a manager is imitated using an AI voice cloning tool. These tools first define the characteristics of a human voice and then use artificial intelligence to train the system to perfectly imitate that voice when reciting various messages. In conjunction with conventional phishing techniques, it is becoming increasingly difficult to recognize imitated voices, i.e. so-called voice fakes.
In addition to voice cloning, another phishing method will be introduced. “Quishing” involves sending a QR code via email with a malicious link hidden behind the image. Such a method makes detecting the malicious code difficult because security tools are often not effective. This increases the risk in particular for employees with private cell phones that are not adequately protected. To keep up with these developments in phishing techniques, a zero trust mentality is recommended. Not just as a technical security solution, but also on a human level. The workforce must demonstrate a healthy suspicion of unusual communications, content or unknown senders to prevent hidden threats from executing.
Trust is good, control is better
Of course, in addition to human defenses, cybersecurity strategies must also be adapted to deal with the growing threat of modern phishing and protect sensitive information. Today, however, employees trust the available security solutions too much and are not careful enough when dealing with suspicious communications. A phone call from someone you think you know but who makes unusual or unexpected requests should always be questioned. Before employees act in such a situation, caution is advised. In case of doubt, a callback ensures that the strange situation is clarified and the caller is authenticated, thereby securing valuable information.
Since face-to-face interaction for verification is not always possible in today's hybrid work environment, it is recommended to choose a different channel to verify received communications. For example, if you suspect a vishing call via WhatsApp, it is advisable to make sure that the person on the phone is who they say they are via a mobile phone call, Slack message or email. To avoid compromise, employees should also ensure that they never share personal information or passwords over the phone or via email if requested to do so. One thing must be conveyed to the workforce: there is no need internally to use another employee's password to access data or resources in the system. Even with such a request, alarm bells should ring before sensitive data is passed on.
More attention
Since phishing is often just the beginning of a chain of compromise, this social engineering tactic should receive more attention - and not just on Data Protection Day. Companies must arm themselves against the new attack options based on AI, as this raises attacks to a new level of danger. By addressing this challenge, companies can foster a more resilient cybersecurity culture and effectively protect sensitive data.
The credo should be to bring a zero trust mentality to the human level. This means that the workforce must be trained not to trust one source of information implicitly, but to always check it through another medium. This will become even more important as AI will play an important role in misinformation and disinformation campaigns in the future.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.
Matching articles on the topic