In the last 18 months, AI has been inescapable in all areas of life—businesses included. From personalising marketing efforts to providing customer service, tools driven by Artificial Intelligence are saving companies big and small time, money, and manpower, enabling their human resources to focus on more complex tasks. But AI could also come with a price.
In case you missed our recent webinar on how AI’s impacting cyber security for businesses, here’s a recap.
Why Focus on AI?
Fundamentally, AI systems perform problem solving tasks that usually require human intelligence. From personal assistants like Siri and Alexa to customer service chatbots and even recommendations on streaming services, the technology’s already part of everyday life for many of us. Useful, yes—but that’s only half the story.
As AI continues to evolve, it’s playing an increasingly prominent role in both cyber security and cyber threats. The same tools that boost efficiency and accuracy for businesses are being used by cybercriminals to launch sophisticated attacks. In 2023, 75% of cyber security professionals reported seeing a rise in AI-powered threats, with nearly half expressing concerns about AI’s impact on businesses’ vulnerability levels.
These days, the key to staying protected isn’t deploying AI—it’s understanding its potential. AI is only as effective as the person using it, whether for good or bad. Increasing awareness about how AI operates and the risks it can introduce is what makes the difference between thwarting an attack and falling victim to one. By educating teams on AI’s capabilities and limitations, businesses can arm themselves with the knowledge needed to stay one step ahead of attackers.
How Do AI Systems Work?
Before we explain the problems AI’s posing in the workplace, it’s important to understand some context. AI doesn’t have ‘intelligence’ in the same way we do. It has no inherent knowledge or opinions; instead, when prompted by a user, it retrieves what it deems to be relevant answers based on the data it’s been given.
When they’re built, AI models are fed as much information as possible. These vast datasets allow the AI to provide responses that appear natural and conversational—more human.
Unlike its living, breathing counterparts, though, AI can comb through these enormous datasets rapidly and accurately. What would take a person hours, days, or weeks, AI tools can achieve in seconds. As you’re about to see, both of these factors become dangerous when it comes to cyber security.
Social Engineering in the Age of AI: An Old Trick for a New Dog
Social engineering—exploiting human psychology to gain access to data—is nothing new. As long as there’s been the internet (and probably before), people have been manipulating others into doing exactly what they want by using information they have on them to build believable stories.
You know the sort: a family member who urgently needs money, a business partner whose funds must be transferred to a new account, a prince from a far-off land who wants to send you money (right after you give him your bank details).
That last one’s a less convincing—maybe even laughable—example, but it’s a good measure of just how far social engineering has come. The wealth of information available online means that highly compelling narratives that feature personalised information (and are designed entirely to defraud you) are just a matter of patience and research. Or, at least, they used to be.
AI has turned the tables on the “needle in a haystack” defence that many small businesses once relied upon. The sheer volume of data we generate daily once seemed too vast for bad actors to sift through effectively. AI acts as a giant digital electromagnet, effortlessly pulling out those needles of valuable information in seconds. Highly specific, personalised attacks can now be launched at scale, shattering the illusion of anonymity that SMBs once enjoyed.
The accessibility of AI tools has further amplified this threat. For under £1000, would-be fraudsters can now purchase software that not only collects and analyses troves of data, but also considers the target audience’s likely interests and concerns.
The result? Social engineering attacks that are not only more convincing but can be deployed en masse, blending the personalised touch of a skilled con artist with the reach of a large-scale phishing campaign.
5 Steps for an AI-Powered Cyber Attack
An AI-driven attack might unfold in many ways. Let’s focus on the most common—business email compromise, achieved via phishing:
- Initial Compromise: A hacker asks an AI tool to create a convincing email impersonating a trusted service like Xero, targeting finance directors.
- Credential Harvesting: When the recipient receives the email, they aren’t suspicious. It seems to be from a trusted source with a legitimate—if slightly unusual—request. They follow the link and enter their details, unaware that the page they’re on is designed to steal this login information and session tokens, bypassing two-factor authentication. The victim loses control of their account, unable to change their password back. The attacker now has free rein to wreak havoc.
- Malware Injection: With access to the employees’ credentials, the AI can then inject malware into vulnerable applications on their system.
- Network Infiltration: AI learns as it goes, making it adept at evading the company’s security tools. The malware spreads across the entire network.
- Finale: A DDoS attack shuts down the network, leaving the victim—and their entire business—helpless.
The AI Arsenal: Beyond Email Scams
Email phishing is just the tip of the iceberg. AI’s capabilities in social engineering are expanding at an alarming rate:
- Voice Cloning: With just three seconds of audio, AI can create a voice clone. Longer recordings yield even better results, enabling real-time, conversational impersonations of friends, family, clients, and coworkers.
- Image and Video Manipulation: From extortion attempts using manipulated images to deepfake videos, AI is blurring the line between reality and fiction.
- Real-time Video Creation: By combining voice cloning with image manipulation, AI can create live video avatars. Imagine a “CEO” video calling a financial director or a “child” urgently requesting money from a grandparent. They sound, look, and move the way you’d expect—so how can you tell they’re not real?
Defending Against the AI Threat
The landscape may look different, but fortunately, defence requires the same multi-layered approach it always has:
Security Controls:
- Implement robust endpoint protection and firewalls
- Use password managers to create strong, unique passwords for each account
- Enforce multi-factor authentication
- Provide regular security awareness training
Policies and Processes:
- Develop clear guidelines for staff to follow when controls fail
- Implement verification procedures for large transactions (e.g., follow-up emails or secret words)
- Institute payment holds for unusual requests
- Create clear guidelines on the acceptable use of AI within your organisation
- Regularly update these policies as AI technology evolves
You don’t have to spend a fortune to stay secure; cost-effective cyber security solutions are available through many Managed Service Providers (MSPs). In this AI-driven world, leveraging these resources isn’t just smart—it’s essential for survival in the digital wild west.
The Future of AI-Driven Attacks
At first glance, the future cyber security landscape looks even more daunting. AI-powered attacks are poised to become more complex and less reliant on traditional vectors like email. They’ll take on the reconnaissance and targeting, tirelessly exploiting vulnerabilities in real-time, and morphing to avoid detection. Hackers will, in essence, be able to deploy a high volume of attacks without being involved.
But on closer examination, there is a silver lining. Us humans are going to remain both the easiest entry point—and the strongest shield. By focusing on training, rewarding good practices, and maintaining vigilance, we can stay one step ahead. We’re the best pattern recognition machines on the planet—real intelligence will be our best defence against the artificial.
Virtual IT: IT Services and Digital Transformation Partners with A Cyber Security-First Approach
We’re partners to hundreds of businesses and schools across London and surrounding areas like Essex, Sussex, and Hertfordshire. We help them to grow profitably and sustainably with exceptional, secure-by-design IT services and solutions, delivered by a team of dedicated experts you can count on.
Have a tech challenge on your mind? We’ll help you to solve it! Get in touch with our team today to book a complimentary consultation, guaranteed to give you actionable insights for your business
