When we think of “cyber threat awareness,” visions of seemingly endless modules, slides, and short quizzes may come to mind: “How can you spot a phishing email? Does the address look familiar? Does the language seem unusual or urgent? We will never ask for this type of information over email. . . .” The topics may seem like old news to some. Although mandatory training and education on cybersecurity are important, reverting to a “check-the-box” mentality is easy to do when completing familiar programs.
Artificial Intelligence, Deepfakes, and the Evolving Cyber-threat Landscape
However, in a constantly evolving cyber-threat landscape, staying apprised is imperative. The threats themselves may remain relatively constant, but the modes through which cybercriminals execute their attacks may improve and adapt. For example, the proliferation of artificial intelligence (AI) applications has the potential both to bolster cybersecurity postures and to help tear them down. An article published by the Harvard Business Review states, “our new research demonstrates that the entire phishing process can be automated using LLMs [large language models], which reduces the costs of phishing attacks by more than 95 percent while achieving equal or greater success rates.” Not only does utilizing AI improve a cybercriminal’s ability to create more sophisticated and more numerous attacks, but it can also allow for their inexpensive production.
Deepfake technologies can be used nefariously as well, adding yet another layer of believability to advanced spear phishing attacks. In fact, multiple organizations have reported fake videos of their CEOs that contribute to successful attacks, resulting in financial losses. In one extreme example, “a Hong Kong finance worker was duped into transferring more than $25 million to fraudsters using deepfake technology who disguised themselves as colleagues on a video call.” In this day and age, even a video call (with multiple, seemingly recognizable people!) is not necessarily enough to ensure the legitimacy of a communication. Compare this type of attack to a “standard” phishing email—riddled with grammatical errors, sent from an unknown source, requesting a secret wire transfer to be made within the next hour (or else!). Most employees would likely be well-equipped to handle the latter, ignoring it or reporting it to IT (in the event it gets to their inbox at all without being filtered out by various tools). But in an age of deepfake-fueled trickery, it can seem that being a top-notch detective rivaling the likes of Sherlock Holmes is a prerequisite for facing the challenge.