For as long as email has existed, it has been one of the most vulnerable attack vectors for organizations. Cybercriminals know that email systems are a goldmine of sensitive data and a gateway to the corporate network. They also know that email serves as a launching pad for social engineering attacks like phishing and business email compromise (BEC) – attacks that prey on the human element and lure victims without wary of disclosing their account credentials, money or other financial information.
Determined threat actors have become highly skilled at manipulating even the most vigilant employees. In recent years, we’ve seen them evolve from basic “spray and pray” attacks, riddled with typos, grammatical errors, and other red flags, to advanced targeted attacks written in perfect English and sent from spoofed domains or even compromised legitimate domains.
As a result of this shift, security awareness training (SAT) has become a major cyber strategy in many organizations. Security leaders have realized that defense must start with their weakest link, their employees, and are beginning to invest more in programs that can train employees to accurately identify email threats. According to Cybersecurity VenturesThe security awareness training market was worth $5.6 billion in 2023 and could nearly double in value by 2027 to over $10 billion.
Various studies have proven that SAT programs can effectively reduce the cost of phishing attacks against businesses. But this year, we might start to see a different story, as SAT’s effectiveness faces a new obstacle: generative AI.
How Generative AI Transformed Email Threats
When ChatGPT launched in late 2022, it threw the digital world into a frenzy: everyone from academics to knowledge workers to everyday consumers used the app to work faster and smarter. Since then, the generative AI wave has continued to gain momentum with the launch of additional tools such as Bing AI, Google Bard and Claude.
But an unintended consequence of the explosion of generative AI has been its adoption by cybercriminals eager to reap its productivity gains. Now, even inexperienced and unskilled threat actors can use a tool like ChatGPT (or one of its malicious variants, WormGPT or FraudGPT) to craft emails for phishing and BEC attacks more quickly and efficiently. more convincing.
Not only are cybercriminals able to write errors-free emails, with a professional tone and even accurate translations, but they also use generative AI to launch targeted attacks on specific individuals. For example, simply by asking generative AI for information about their target (e.g. by entering a link to their social media profiles), attackers can send highly personalized and credible lures in greater numbers than ever before.
What this means for security awareness training
The industry has widely understood that phishing attacks are already becoming increasingly difficult to recognize as cybercriminals increase their social engineering prowess. Today, with generative AI tools in their arsenals, the situation has only gotten worse. Modern email attacks are becoming more and more realistic and almost indistinguishable from legitimate communications. Without the presence of traditional attack indicators, the effectiveness of SAT drops significantly.
SAT programs remain important because low-level email attacks are not going away. Security teams should continue to train employees on the telltale signs of a traditional email attack, but should also update these programs to ensure they keep up with these evolving threats.
For example, even if an email is sent from a legitimate domain free of spelling and grammar errors, employees should watch for any language requesting sensitive information, especially if the sender creates a sense of emergency. Employees should also learn the proper verification steps whenever they are asked to perform actions related to financial transactions or account authentication via email.
The SAT should remain an important part of the onboarding process for all new employees, but also revisited regularly for existing employees. Because cybercriminal tactics are constantly evolving, organizations should update every four to six months. There are also many tools on the market that can help automate these training sessions.
SAT should remain a core part of an organization’s cyber strategy, but it is not foolproof, and having additional layers of security ensures the best possible protection against advanced threats.
In addition to implementing fundamental security measures such as multi-factor authentication, password managers, and least privilege, leveraging an email security solution can help provide comprehensive detection, especially for seemingly realistic email attacks that go unnoticed by the human eye.
I’m very interested to see how the SAT scores develop this year, as AI-generated attacks continue to gain momentum among threat groups. But don’t wait to find out: now is the time to review and update SAT programs, as well as the company’s broader email security strategy.
Mike Britton, Chief Information Security Officer, Abnormal Security