Phishing your own people in cybersecurity training? How to protect the brands you use as bait
With widespread use of generative AI, phishing has become an even more formidable threat for organizations. Hyper realistic emails, texts and deepfake voice-notes can be constructed using AI tools, and with better grammar and spelling making threats appear more genuine, AI-powered phishing is causing major concerns.
This year we have seen an escalation in the complexity and variety of phishing methods, with people being targeted on new platforms they trust, beyond the standard email, phone call, or SMS. The concerns have shot to the very top of business. Accenture’s Pulse of Change research found almost half (47%) of C-suite were concerned about the increased risks from cyber attacks and data breaches. Cybersecurity threats posed by deceptive content, such as realistic phishing emails/messages, were seen as the biggest risk.
Attacks may not be simple, but motivations often are: financial gain. Attackers use messages requesting personal information from fraudulent websites to trick their victims to send money or obtain access to their networks. They also know by impersonating senior leaders they can potentially influence people to share data, money, or credentials.
Unfortunately, as phishing attempts become more realistic, employees are more likely to fall victim, which can create serious disruption, financial loss and potential long-term reputational damage for their organization.
Accenture’s Cyber Resilience Lead in the UK.
Education is key
It is therefore critical that employers provide the necessary education – including training and simulations – to prevent attacks from duping employees into clicking something they shouldn’t.
Simulating an authentic phishing attack isn’t a simple ask. In fact, firms have tried to educate their employees by replicating public brands with typical consumer and employee communications – such as impersonating delivery companies – to create content for educational purposes. This is because these companies tend to have many characteristics that make them ideal targets for social engineering due to brand familiarity, regular personal information requests and sharing of routine tracking links. Delivery companies regularly share emails and SMS updates, meaning the cadence of communication – and the characteristics that come with it – often go unnoticed, and individuals are easily deceived.
However, when organizations copy-cat brands in simulations, it can pose legal issues around IP theft, if they have not asked permission to use their branding and company information. It can also cause the brands themselves reputational damage from being associated with cyber attacks (even fake ones).
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
If a business decides to replicate such an exercise, but wants to avoid using a third-party as part of the simulation, it could instead implement internal emails from reliable departments such as finance, legal or HR. This means they still appear credible for employees, as they will resemble emails normally issued directly by internal teams, but they don’t risk falling into legal hot water from external companies.
How can you protect your company
In addition to training employees, businesses can also take preventative measures to stay protected – and turn the tables on attackers by using gen AI itself.
With AI increasing the risk of being defrauded by realistic content, it is also a vital part of an organization’s technological armor. For example, many platform companies and hyperscalers are releasing AI security features in their own environments. Additionally, AI-powered ‘red teaming’ – a cybersecurity technique – mimics an attack to see how individuals would respond. Other examples, including penetration testing, will become mandatory for organizations as regulations evolve. The key to gaining the upper hand in the era of gen AI will be embedding security-by-design along the journey.
The personal touch
Although security tools are critical, humans are ultimately a key line of defense. Training programs play a central role in helping employees recognize and report suspicious communications, but they should also be encouraged to rely on their instincts, too. Employees should always ask themselves: “Is this typical behaviour from the sender? Is this a platform they’d normally be contacting me on? Would I normally verify my details in this way?”
There are also cultural factors that support an organization’s defense – and it starts with ensuring companies prioritize the ways of working and wellbeing of their people. Always-on and tired employees may be more likely to click on suspicious links in a hurry, so reducing alert fatigue and burnout among people has cyber security benefits, too.
Just as there is a human behind the initial creation of a phishing attack, there’s always a human recipient of a scam. The best defense always relies on the knowledge of an empowered employee that understands the risks and acts mindfully. A healthy dose of human suspicion, combined with a strong line of technology enabled defences, will set organisations on the right pathway to defending against phishing attackers, without inadvertently impacting other brands’ reputations.
We’ve featured the best cloud antivirus.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
With widespread use of generative AI, phishing has become an even more formidable threat for organizations. Hyper realistic emails, texts and deepfake voice-notes can be constructed using AI tools, and with better grammar and spelling making threats appear more genuine, AI-powered phishing is causing major concerns. This year we have…
Recent Posts
- Do Macs get viruses? The answer is yes – and AI-powered malware is a growing threat, new report claims
- Apple now lets you sync your passwords with Firefox, but not on Windows
- This tablet has a genius feature I want every vendor to copy: a second USB-C port that allows you to display content on an external screen
- Trump picks two nominees who could decide the fate of Big Tech and crypto
- Nokia’s classic Snake game is now a Nothing widget
Archives
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- September 2018
- October 2017
- December 2011