Watch Out for AI-Powered Spear Phishing
How hackers will use machine learning to sharpen the spear
For hackers, spear phishing has always been a tradeoff. But that’s coming to an end. Artificial intelligence will enable the creation of large volumes of targeted messages meant to steal user credentials.
What is phishing?
Definition: Sending emails, text messages, and other communications that trick users to click on a malicious, link often with the end goal of obtaining the user’s ID and password.
Phishing is about volume, casting a wide net.
What is spear phishing?
Definition: Similar to phishing, except the messages are much more targeted, increasing the chances of the user falling for the attack.
Spear phishing is often used for the big fish, like the
C-suite and privileged users.
HOW HACKERS SPEAR PHISH:
Gather information
about the target.
Craft a high-quality,
personalized message.
Send the message with a
link to malicious software.
Let the linked software/website
steal the user's credentials.
The Spear Phishing Tradeoff
Increased labor for increased chance of success
Gathering information is time-intensive.
Crafting a quality message takes time and requires
fluency in the target language, adding expense.
Spear phishing works
30% of spear phishing
campaigns are deemed
successful
Spear phishing has a
40X greater return rate than
regular phishing
95% of attacks on business
networks result from successful
spear phishing
Because spear phishing is hard, attackers target a low number of victims
77% of spear phishing attacks target only 10 email inboxes
33% of spear phishing attacks focus on just one email inbox
But that’s about to change…
AI Eliminates the Tradeoff
Three ways hackers will use AI and machine learning for spear phishing:
Quickly gather useful personal information. Using algorithms like those in marketing and ad targeting systems, machine learning leverages data to create a sense of urgency in the victim.
Find personal data that users are willing to pay a ransom for. Based on demographic data and gathered personal information, attackers can leverage machine learning to predict the best victims and approach.
Natural language text in phishing emails. By using natural language AI, attackers can make an email sound like it came from a victim's boss, financial institution, co-worker, or friend.
AI CAN HELP HACKERS DETERMINE:
Personal information such as work relationships
Events and planned activities shared on social platforms
The tone of writing to create a sense of urgency
AI will allow spear phishing hackers to target
BETTER and AT SCALE.
How do you protect yourself and
your organization?
Stop the click
Educate users about the growing sophistication of hackers, so they question unknown messages they receive.
Prevent access
Use multi-factor authentication or, even better, contextual authentication tools such as SmartFactor Authentication to add AI to your security defense. As a last line of defense, MFA requires additional information during login to thwart criminals trying to access your corporate data and systems using stolen credentials.
About OneLogin
OneLogin is the identity platform for secure, scalable, and smart experiences that connect people to technology. With the OneLogin Trusted Experience Platform, customers can connect all of their applications, identify potential threats, and act quickly. Headquartered in San Francisco, CA, OneLogin secures over 2,500 customers worldwide, including Airbus, Stitch Fix, and AAA. To learn more visit www.onelogin.com.