By: Karl Falk
Social engineering attacks are a very serious problem that GenAI is turbocharging. Existing solutions focusing on training and procedures are helpful but insufficient. Organizations need automated social engineering defensive tools. Existing large vendors lack the technology, expertise and economic incentives to provide these fully adequate solutions. The best way to get them is for large organizations to partner with innovators, thereby speeding up the process of bringing these solutions online.
Social engineering attacks involve manipulation to get innocent people to do nefarious things on behalf of attackers. To affect their manipulation, attackers employ some form of deception to make the innocent people convinced that they are doing something that is “good” and “right,” or at least good for them personally.
While social engineering cybersecurity attacks have been problem for some time, the advent of GenAI has made the problem much greater. Several years ago, executing a successful social engineering attack took some skill and, in many cases, sophisticated technical knowledge. But now, with GenAI, that is no longer true. Not only does GenAI remove the skill and knowledge barrier, it also makes Deep Fake attacks possible. The result is that 98 percent of cyberattacks have an element of social engineering.
Social engineering is used to gain unauthorized access to credentials that give attackers access to applications and cyber infrastructure that can be used to cause damage, extort funds, steal intellectual property, gain access to information that allows attacks on large numbers of organizations and individuals, etc.
An example of such a social engineering attack that used a simple telephone is the attack on the MGM Grand Hotel and Casino in Las Vegas. Staff at a technical support help desk got a phone call. The caller said that he was the most senior system administrator in the company. He said that he was traveling and had lost his phone with all his user IDs and passwords. He said his phone was locked, so he wasn’t worried about information getting out. But there was a very serious situation. He needed to do a system update right away. To do that he needed a new set of credentials. He was able to convince the help desk staff member to give him that new set of credentials. With that new set of credentials, the bad actor loaded a ransomware attack.
The resulting ransomware attack had dramatic effects that damaged the company, its customers, and its brand. For example, the key cards no longer opened room doors. Guests were left without access to their belongings and the front desk couldn’t check people in or out. The casino floor had to shut down. It took a week and cost the company $109 million to get its systems back up and running, all in addition to the brand damage and consequential loss of revenue it suffered.
AI has given bad actors a new set of tools to create more powerful ways of deceiving people. It removes the skill barriers. Now a six-year-old can launch a social engineering attack. It removes human physical barriers. Don’t have a good voice? GenAI can give you a good one. It can be used to identify promising targets and to gather the information needed to make the attack. Maybe the most significant capability is the Deep Fake one. GenAI can actually generate voices, images, sounds, and video that make the attacks very effective.
A recent attack we call the GenAI CFO illustrates the deep fake capability. A Hong Kong-based finance department staff member of a multinational corporation got a message purporting to come from the CFO in the U.K. talking about a secret financial transaction. Although he was suspicious, he was nevertheless maneuvered into a