How to avoid getting in a jam from a phishing attack
Carl Mazzanti//March 4, 2024//
How to avoid getting in a jam from a phishing attack
Carl Mazzanti//March 4, 2024//
New Jersey has achieved an unwelcome milestone: making the list of the nation’s Top 10 states for cyber attacks (with losses in the state totaling nearly $285 million), according to an FBI report released last year. There are different “flavors” of digital attacks but the report makes it clear that phishing – or the use of fraudulent emails to obtain sensitive information – is one of the most common threat vectors. And with the spread of generative artificial intelligence, the phishing traps launched by cyber criminals are getting more sophisticated than ever. But experienced cybersecurity services providers can deliver tools and training that put a deep moat between businesses and digital attackers.
The phishing threat has become more challenging because the development of AI and large language models let nation-state and other cyber criminals harvest detailed data about people and organizations in seconds, enabling them to develop and deploy communications that sound authentic and create a sense of urgency. An email, for example, may appear to come from a longtime vendor, referencing invoices for products or services delivered to your business.
The email message could also cite an event that you attended, lending the communication an air of legitimacy; and the initial contact may be followed by additional communications, like texts and social media messaging. Or the attack could take the form of a phone call supposedly coming from your company’s treasurer or other executive, with the “person” on the other end delivering an urgent request to transfer funds or to ship goods.
But that email, text or phone call may not be legitimate. The rise of generative AI has made it simpler to create sophisticated “deepfakes,” or realistic-sounding voices and even fake videos. Hackers hope that when you hear your boss’ distinctive voice on the phone, for instance, you will take the call seriously and jump to fulfill his or her request. Of course, the funds or other assets they are asking you to move are actually being transferred to an unknown third party
Traditional defenses used by businesses, like email filters and multifactor authentication – a system that requires more than one distinct factor, such as a code texted to a phone, before a user can log into an account – may no longer be enough to withstand deepfake videos and other AI-backed attacks. Instead, organizations need to use a combination of advanced security tools and improved training.
Automated, AI-powered email security can help to detect AI-generated content, while cybersecurity tools that use machine learning and behavioral analysis can help to identify phishing attempts by analyzing network behavior and identifying deviations and other issues. A comprehensive cybersecurity plan will also reflect a layered approach, with state-of-the-art authentication methods and privilege management.
Passwords, for example, may be replaced by such alternatives as biometric authentication, which uses unique physical or behavioral traits of individuals to verify their identity. And while passwords can be forgotten, stolen or easily cracked, biometric data is inherently linked to an individual, making it a more secure and reliable method. Facial recognition, for example, is already being used in a variety of settings, from unlocking smartphones to airport security.
Another layer is a zero-trust approach, where identity verification is required every time any user, device, or application attempts to access the system. Additional digital security barriers could include privileged access management, where users have only the minimum system access that is needed to accomplish their work. Then, periodically, security teams should regularly review privileged accounts to ensure that user accounts only have the access they need.
AI-enabled tools, such as phishing simulations, can also help organizations with employee education programs focusing on “best practices.” As part of this initiative, ongoing security awareness training can be instituted and personalized to the team- and individual-level.
The increasingly sophisticated level of cyber threats mounted by hackers requires a sophisticated approach to cybersecurity. Businesses can start by working with a skilled information technology partner to launch a risk assessment that can highlight their vulnerabilities, and then carefully evaluate their security controls, email filters and security awareness training, updating these digital assets as needed. The return on investment will be substantial, in terms of both finances and reputation.
Carl Mazzanti is president of eMazzanti Technologies in Hoboken, providing IT consulting and cybersecurity services for businesses ranging from home offices to multinational corporations.