How AI and machine learning are changing the phishing game

Bad actors have learned: The more data they’re able to harvest about you, the more likely they’ll be able to successfully phish you. Which is probably why this attack vector has never been more popular.

Proofpoint’s 2022 State of the Phish report revealed that 83% of organizations suffered a successful email-based phishing attack in 2021, a 46% increase compared to 2020. Seventy-eight percent of companies faced a ransomware attack that was propagated from a phishing email, while 86% of businesses experienced bulk phishing attacks and 77% sustained business email compromise (BEC) attacks.

Global phishing attacks climbed 29% over the past 12 months to a record 873.9 million attacks, according to the latest Zscaler ThreatLabz Phishing Report, and there was a record number of phishing attacks (1,025,968) in the first quarter of 2022, per the Phishing Activity Trends report from the Anti-Phishing Working Group (APWG). But things are getting even more complicated.

Scammers are now taking and ingesting every bit of breached data found on the internet and combining it with artificial intelligence (AI) to target and attack users. This practice has some of the largest companies in the world more worried than ever before as the level of sophistication in phishing attempts grows. The scary part? There’s an increase in successful phishing and ransomware payouts, and the AI being used isn’t even that smart yet. 

The evolution of phishing

At its core, social engineering is about tugging at a user’s emotional heartstrings to elicit a response that, ultimately, gets them to fork over personal information like passwords, credit card information and more.

Unsophisticated phishing attacks in the form of emails, texts, QR codes, etc. are typically easy to spot if you know what to look for. Grammatical errors, typos, suspicious links, fake logos, and “from” email addreses that don’t match the credible source they’re pretending to be are dead giveaways.

These attacks were often done in mass, targeting millions of people to see who would bite. But bad actors evolved — and so did their tactics.

Hackers started using AI to target individuals in a more intelligent manner. Messages from your “IT department” that incorporated information about your job or a customized and direct spear phishing attack — which included your actual password — telling you your account had been compromised are perfect examples.

Now, once again, bad actors are taking things a step further.

The AI phishing revolution

Hackers love and hoard data. But the data they value the most is breached data — and not just the information they’ve personally breached or ransomed. Threat actors love every bit of data that’s ever been leaked on the dark web.

Data breaches can tell hackers everything from your mother’s maiden name to your date of birth to your previous passwords to even your personal interests. While this probably isn’t anything you haven’t already heard, what has changed is the way scammers are using this information.

Bad actors are now combining this data with AI to target users with incredibly sophisticated phishing attacks that are more convincing than ever. And they’re doing this with AI that isn’t even that smart — yet.

AI can’t diverge from its pre-programmed path, so we don’t have to worry about it thinking for itself. But as people grow smarter, they can make more sophisticated models and train AI to run more complex scenarios. As the level of sophistication increases, all signs point to a future where phishing looks a lot like targeted ads.

Targeted ads meet targeted phishing

It’s nearly impossible to avoid ads these days. They pop up everywhere based on your browsing, search, and social media history. It’s gotten to the point where we joke about advertisers knowing what you want before you know you want it.  

How long before attackers get this advanced? How long before a market intelligence firm gets breached, and hackers use the same data used by advertisers to phish you? Near real-time targeted phishing campaigns is not some distant concept; it’s on the horizon.

Imagine searching for Super Bowl tickets, and within minutes, there are phishing emails in your inbox offering you VIP Super Bowl experiences. This is the real and immediate threat AI poses — and we’re inching closer and closer to that reality.

The future of phishing

AI and machine learning (ML) are currently being used to systemically bypass all our security controls. The attacks are occurring at a level and sophistication that no human — or group of humans — could pull off without a little (artificial) intelligence.

If you think bad actors need to build some brilliant self-realized AI hacking bot to achieve these goals, you’d be mistaken. They simply need to create an AI smart enough to interpret and manipulate specific sets of data in specific scenarios — which is exactly what criminal hackers and nation-state actors are actively doing to target and compromise people and organizations. 

AI isn’t nearly as high-tech as some think, yet it can still be used to take advantage of unsuspecting individuals. By combining AI and breached data, hackers are creating more targeted and sophisticated phishing campaigns and finding greater success.

AI and ML have rewritten the rules and changed the phishing game, and there’s no turning back. If we don’t address this now, the game will quickly get out of reach.  

Joshua Crumbaugh is CEO of PhishFirewall, Inc.