Skip to content
Contact Us
Search icon
Contact Us
All posts

Artificial Intelligence in the wrong hands can pose a big cyber threat

  Pulse Technology  ·  3 minute read

Artificial intelligence (AI) is a tremendous asset for businesses. AI can effortlessly perform tasks including research, writing, illustration, marketing, developing sales scripts, budget forecasting, records-keeping and more. AI can relieve business owners of time-consuming tasks so that they can concentrate on the important aspects of running and growing their businesses.

But, just as business owners are learning the advantages of AI, so too are hackers and malicious actors. In the wrong hands, AI can pose a huge cybersecurity threat to the business owner. Hackers use AI to achieve their own goals, which are not in keeping with the well-being of a business.

How AI can benefit malicious actors

With AI tools, retrieval of information is speedy, and the volume of available information is comprehensive. Almost all companies have proprietary information within their networks which, in the wrong hands, could cause financial, compliance, legal, reputational and other serious problems. Consider if payroll records, Social Security numbers, confidential client or (in the medical field) patient notes, company finances, and more were accessed by hackers. These cybercriminals are skilled at mining data for information they can use to their advantage. Without AI, retrieval of this information could take hours. With AI, it happens in a matter of seconds. Malicious actors gain a significant advantage with these AI tools.

In addition to the speed at which AI delivers information, malicious actors can create very real-looking emails, videos, voice messages and other forms of communication. We all remember how clumsy phishing and other hacking emails and texts used to look. You could spot the awkward grammatical construction, the misspellings and the other telltale signs that this was a message to ignore.

Hackers use these very sophisticated tools to gain access to a company’s environment – even that of the CEO. With these tools, hackers create a very believable profile – without typos or awkward language, and even in the “voice” of the individual. This task is made easier than before because hackers incorporate LinkedIn and other social media profiles to enhance their profile.

Additionally, “deepfakes” are getting more realistic. Voice cloning through AI can mimic the voice and tones of executives convincingly. Video deepfakes can simulate meetings or instructions, and the trust in familiar voices is being exploited. A hacker posing as the CEO builds trust and asks an employee to send money or sensitive information – which ends up going into an account that the hacker has created. Often the email will say something like “This is urgent and confidential. Please RSVP by email ASAP. I cannot take phone calls.”

If the employee rightly asked the “CEO” for phone verification, the hacker said that he would call later from a conference room. That delay in time provides the hacker with the chance to create and deliver a phone message using AI tools that mimic the voice of the CEO. This strategy can be used alongside business email compromise for layered attacks.

Another tactic used by hackers is to create rules to filter emails to different folders where the CEO would not see them. The hacker intercepts emails and moves them to a spam or delete folder so that it is the hacker and not the CEO who sees the messages. The hacker then looks for opportunities in the emails. Then, the hacker begins the correspondence, starting with something not too dramatic and after building up a sense of trust, moves up to a wire transfer or employee records. And of course, if successful, the funds go into an account that the cybercriminal has created. Ninety-five percent of attacks on a system are delivered by email or phone.

Reaching out to employees to send funds or information, unfortunately, works more often than you might think. It is particularly dangerous because it does not rely on malware, but instead deception. This form of attach targets human behavior. The emails often look and sound completely legitimate.

The most common scenarios are urgent requests to wire funds, fake vendor invoices with updated banking details, and payroll or direct depositor changes from “employees.” Attackers use publicly available information such as LinkedIn and websites. Email spoofing is easier than ever, and hybrid work makes verification harder.


What companies can do to protect their infrastructure

What you can do to minimize your chances of being a victim of cybercriminal activity:

First, be certain that all. the fundamentals of network protection are in place – best practices, the latest software, and the latest protection updates. Every organization should have the very latest tools in place. However, the most advanced infrastructure protection is only as good as the people it serves. A very high percentage of breaches – somewhere around 90% - come as the result of human error. We humans are the biggest and weakest link when it comes to breaches.

Other practical steps to implement include:

  • Implement multi-factor authentication on all email accounts, especially finance and email systems
  • Require verbal confirmation for financial transactions.
  • Use email filtering and domain authentication (DMARC. SPF. DKIM).
  • Train employees to question urgency and subtle changes in tone.
  • Also, deploy AI-enhanced security tools, such as email filtering and anomaly detection.
  • Monitor for unusual behavior, not just known threats.
  • Establish verification protocols (call back procedures).
  • Create strict verification processes for money movement. Use code words or secondary authentication for sensitive requests.
  • Limit public exposure of executive voice/videos where possible, and educate the staff that “familiar” does not equal “authentic.”
  • Move beyond “basic phishing training” to scenario-based training. Conduct sessions where employees see AI-generated phishing emails and have them practice detecting the fakes. Train employees in modern threats, not just generic phishing.
  • Develop an incident response plan for social engineering attacks.

And if you have any questions about all of this, if it seems a bit overwhelming, have a conversation with a trusted cybersecurity partner who can help make sense of it all for you. If you have concerns and want to be sure that you are protected against these emerging threats, or would like assistance in employee training, or just an overall assessment of your network infrastructure, let’s have a conversation. Please give us a call at 888-357-4277 or visit https://pulsetechnology.com. We are here to help.