Wow. It does not happen often that the godfather of infosec comes out this strong about phishing risks. He co-published new research in the Harvard Business Review May 30, 2024, which in turn links back to the actual study that was published at the IEEE. This is the best budget ammo I have seen in the last few years.
The summary of the article is as follows: "Gen AI tools are rapidly making these emails more advanced, harder to spot, and significantly more dangerous. Recent research showed that 60% of participants fell victim to artificial intelligence (AI)-automated phishing, which is comparable to the success rates of non-AI-phishing messages created by human experts.
Companies need to:
- Understand the asymmetrical capabilities of AI-enhanced phishing,
- Determine the company or division’s phishing threat severity level, and
- Confirm their current phishing awareness routines."
They end off with: "Artificial intelligence, and LLMs in particular, are significantly enhancing the severity of phishing attacks, and we can expect a sharp increase in both the quality and quantity of phishing in the years to come. When targeting human users, AI disproportionately benefits attackers by making it easier and more cost-effective to exploit psychological vulnerabilities than to defend and educate users.
"Most employees have a digital footprint with publicly available information that makes it easy to impersonate them and create tailored attacks. Therefore, phishing is evolving from mere emails to a plethora of hyper-personalized messages, including falsified voice and video.
"Managers must correctly classify the threat level of their organization and department to take appropriate action. By raising employee awareness about this emerging threat and equipping them to accurately assess the risk to themselves and their organization, companies can aspire to stay ahead of the curve and mitigate the next generation of phishing attacks, which will claim more victims than ever before."
Here is the link to the full article:
This is a link to the study at IEEE.org
https://ieeexplore.ieee.org/document/10466545
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
