Phishing attacks use to be a volume game. Historically, scammers would cast a very wide net to try to reach as many users as possible. One generic message and hoping that one percent will actually fall victim. It was simple math, the bigger the net, the bigger the 1%.
Times have changed.
As soon as generative AI became available, people started discussing how a website could change in real time depending on its visitors. This “dynamic website” idea existed before, but it never gained traction due to the level of complexity and the lack of benefit. Too much investment for very little gain.
When it comes to phishing, things don’t have to be a perfectly working website.
As long as the web page looks relatively legitimate, the job is done.
Security researchers have shown us how AI could be used to create phishing pages on request. This technique is still under experimentation, but the direction is clear enough.
The user opens a hyperlink and lands on a web page that seems safe to them. The page may not contain a full-fledged phishing page; it may make contact with an AI service and generate a page in response to the opening of the page. In other words, it means generating content on the fly.
It means that a phishing page is created specifically for the user. The text, design, and code would all be different each time, leaving nothing to stop the phishing attack in advance because the phishing page would never be built until the target opened it.
Such techniques are still in their infancy, but the necessary building blocks are already available. AI has been used to generate malicious code. Some kinds of malware have even been generated by code execution.
That alters the criteria to identify them.
No longer will phishing simply involve emails containing glaring spelling mistakes or amateurish design choices. The phishing email crafted professionally will look legitimate.
Security cannot simply depend on the assumption that employees will always detect a malicious link. Instead, it must focus on mitigating damage in the event they do click one.
The majority of existing countermeasures such as multi-factor authentication, email filtering, secure web browsers, and access control measures remain crucial components of the defense strategy. These measures will thwart any phishing attempt from escalating into an actual attack despite the effectiveness of the phishing page.
Phishing remains a threat and will continue to evolve. What can be done?
The next scam is expected to be well designed, and the countermeasures should not depend on detection of an obvious flaw. Curious to know how vulnerable your organization is? Let us know!