Cybercriminals are now leveraging generative artificial intelligence (AI) advancements such as OpenAI’s ChatGPT tool to launch more sophisticated phishing attacks, Zscaler’s research team noted in its annual Phishing Report.
The team analyzed 280 billion daily transitions and 8 billion daily blocked attacks over 2022 and found a nearly 50% increase in phishing attacks compared to 2021. Additionally, the education sector emerged as the most targeted industry, followed by finance and insurance, and government in 2022. The top five most targeted countries included the United States, the United Kingdom, the Netherlands, Russia and Canada. Microsoft, Binance, Netflix, Facebook and Adobe were among the most imitated brands, according to the report.
In this year’s report, researchers highlighted the new and evolving threats from AI technologies and large language models (LLMs) like ChatGPT.
AI-created phishing attempts are more convincing
“Recent AI technology advances like ChatGPT make it easier for threat actors to develop malicious code, generate business email compromise (BEC) attacks, create polymorphic malware and more,” which can help threat actors launch sophisticated email, SMS phishing (SMiShing), and voicemail phishing (vishing) campaigns at a larger scale than ever before, they wrote in the report.
These AI-driven phishing campaigns are harder to identify and counter, as they can convincingly imitate legitimate communications, making it more likely for victims to fall for the scams. For example, the report showed a rise in malicious actors targeting job seekers through recruiting scams and vishing.
Zscaler researchers anticipate threat actors will use AI more frequently to discover new applications for phishing attacks. “Expect to see more sophisticated scams across different communication channels, such as email, SMS, and websites. Also, prepare for a surge in phishing attempts as attackers leverage AI to launch more coordinated and effective attacks on larger groups of people.”
Zero Trust to counter AI-driven phishing attacks
As AI-driven phishing attacks evolve more sophisticated, Zscaler recommends organizations adopt a zero-trust architecture to minimize the attack surface and reduce the blast radius of successful attacks.
“As important as it is to have controls in place to prevent phishing, it is equally important to have ones that limit the damage a successful phishing attack can cause,” researchers wrote in the report explaining how zero trust can help. “Employ granular segmentation, enforce least-privileged access, and continuously monitor traffic to find threat actors who may have compromised your infrastructure.”
Other best practices to mitigate phishing risks include understanding the risks to better inform policy and strategy, leveraging automated tools and threat intel to reduce phishing incidents, delivering timely training to build security awareness and promote user reporting, and simulating phishing attacks to identify gaps in your program.