Phishing attacks have reached a new high, with cybercriminals favoring various phishing techniques to trap their victims in nasty phishing scams. Hackers use different phishing techniques as a precursor to many devastating cyberattacks like ransomware, business email compromise (BEC), malware and account takeover. As perpetrators use deceiving social engineering lures, their targets often fall prey to their tricks. That’s why 91% of cyberattacks start with a phishing email, according to a Deloitte report. Now, new technology is helping bad actors make their phishing messages even more compelling, and that’s bad news for businesses.
New deep-learning language models make phishing emails more compelling
Artificial intelligence (AI) has been a boon to security teams and cybercriminals alike. In order to make their emails more convincing, many cybercriminals have started using deep learning tools to create AI-generated compelling phishing emails. These language models provide criminals with better tools to create targeted communications in their cyberattacks. Researchers have recently found out that GPT-3 proved to be helpful at crafting convincing email threads to use in phishing campaigns. Nation-state cybercriminals have been taking advantage of this technology too by using it to impersonate multiple people in an email thread to add credibility to a conversation-hijacking-style phishing attack. AI-generated phishing messages are also used in business email compromise attempts by a group tracked as TA2520 or Cosmic Lynx.
What is GPT-3?
Generative Pre-trained Transformer 3 (GPT-3) is an autoregressive language model that uses deep learning to produce human-like text like emails or ad copy. For example:
Write an email to [person1] in the finance operations department at [company1] from the company’s CEO, [person2]. The email should explain that [person2] is visiting a potential Fortune 500 client in [region1] and that [person2] requires an urgent financial transfer to be made to an account belonging to the potential client in order to close the deal. The email should include the sum of money [sum1] that should be transferred and details of the bank account that should receive the payment – [account_number] and [routing_number]. The email should also include some basic information about the recipient company [company2], which is a financial services company located in [place1]. [person1] is not easily fooled and will require some convincing.
4 Devious Phishing Scams Making the Rounds Right Now
While many phishing scams use the same common phishing techniques, new tricks that are designed to mislead employees emerge regularly, especially with the advent of more widespread use of AI in cybercrime. These four phishing scams are making the rounds right now, and everyone needs to be aware of them.
LinkedIn spoof phishing scam
In this scam, some of the users of a travel organization received a phishing email, allegedly from LinkedIn, with the subject line “We noticed some unusual activity.” The email contained a fake URL that took the victims to a fake landing page of LinkedIn. The page mirrored authentic LinkedIn branding, with a legitimate LinkedIn sign that included LinkedIn logos, language and illustrations. Once the user landed on the fake webpage, it asked them for their personal information, leading to credential theft. The phishing campaign even slipped past Google’s email security controls.
College loan forgiveness phishing scams
Fresh college graduates have been receiving phishing scam emails that prompt them to give up their personal and financial information. Some phishing emails even invoke emotional and financial drivers, such as student loan debt forgiveness, to convince their targets to take the fraudulent offer. In late 2022, the U.S. Federal Bureau of Investigation warned students with debt that scammers are using the advent of new federal student loan forgiveness programs to phish for PII and financial data.
Fake Facebook account termination notices
In recent times, hackers have taken a liking to many Facebook-inspired attacks. For instance, many users received a report that their ad account was at risk of termination unless they took action. In a recent phishing scam, hackers sent fake Facebook copyright infringement notices to get credentials. The email claims that the user has violated Facebook’s copyright infringement policy, hence the company will terminate the account if the victim fails to take proper action. Once the user is adequately scared, they follow the perpetrators’ command that asks them to go to a different website. The user is prompted to enter his credentials on the website, which leads to identity theft. In some cases, hackers lock users out from accessing their Facebook accounts unless they pay a ransom.
Employment scams have plagued the job industry for years. Threat actors armed with data gleaned from the dark web take advantage of job seekers, luring them in to provide information or even money under the false pretext of giving them a job offer. These attacks have proliferated since last year, as many organizations have laid off large sections of their workforce in a bid to increase profitability, especially in tech. Cybercriminals want to take advantage of the panic by sending phishing emails pretending to be employees or representatives of well-established organizations to obtain the victim’s personal or financial information.
With cybercriminals increasingly using advanced tools and techniques in phishing scams and other cyberattacks, security awareness training is vital to protect your organization from trouble. This will empower your employees to be more informed about email red flags, which in turn will keep them from falling into cybercriminals’ traps. In fact, organizations that engage their employees in regular security awareness training experience 70% fewer security incidents.