Authentication

Generative AI is Making Phishing Attacks More Sophisticated… But You Can Remove the Bait with Passwordless Authentication

July 6, 2023

While artificial intelligence (AI) has been around for decades, the introduction of ChatGPT in November 2022 took the technology to unparalleled heights and ushered in a new era of AI. Created by OpenAI, ChatGPT is a generative AI model trained on large data sets that generates human-like text responses.

While in its nascent stages, ChatGPT has the potential to significantly transform many industries by giving users almost immediate access to the information they need for better decision making, while automating previously manual tasks and accelerating processes. In fact, ChatGPT has generated so much buzz in the industry over the last six months, many companies are already using it to optimize their business while other vendors are releasing similar generative AI models (e.g., Google Bard) to stay competitive.

Generative AI will change our world for the better in many ways. But we would be remiss if we didn’t point out that, as with any new technology, there are still kinks to be worked out and risks to be managed. One of the biggest challenges with generative AI is the fact that bad actors have access to it, too. And this means they can use it for myriad nefarious purposes, including crafting indiscernible phishing campaigns.

 

Generative AI Eliminates Tell-Tale Signs of Phishing 

Phishing has remained effective for decades, prompting cybercriminals to broaden their attack methods beyond email. Today, organizations are battling traditional phishing as well as vishing (attacks carried out via voicemail) and smishing (phishing executed via a text message).

Consider these statistics: CISCO’s 2021 Cyber Security Threat Trends report revealed approximately 90% of data breaches occur due to phishing, and according to the 2023 Data Breach Investigations Report, “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering.”

Axiad’s internal research aligns with these industry studies. Our Passwordless Authentication survey, fielded by Enterprise Strategy Group (ESG) and announced in late June, found that 92% of respondents are concerned about compromised credentials because of phishing or social engineering attacks and 59% are confident that compromised accounts or credentials have led to a successful cyber-attack over the last 12 months.

Success rates have held steady over the years for a few reasons:

  • Despite the industry’s call for training and awareness programs, many end users remain largely unaware of the threat, how to detect an attack, or how to appropriately respond if a suspicious email comes in.
  • Because end users have to manage many passwords (on average, 90 different online accounts!), they often get lax with password security best practices – e.g., using easy to guess passwords and repeating passwords across accounts.

This combination creates the perfect opportunity for cybercriminals to trick unsuspecting victims into divulging account credentials that they then can use to execute ransomware attacks, account takeovers, and more.

Where does AI fit into this playing field? Before generative AI, end users that were aware of phishing risks were able to look for a few tell-tale signs that an email might be suspicious. For example, human-written phishing emails often had spelling errors, odd punctuation, or tones of misplaced urgency. But, today, with generative AI, phishing attacks have reached new levels of sophistication where cybercriminals can use the technology to craft emails with precision and mimic the tone and style of the sender – making them extremely difficult for end users to detect.

This is a problem because end user awareness is lacking in the first place, and the little help we did have to recognize phishing attempts has been eliminated. This means cybercriminals will be able to exploit individuals’ vulnerabilities with unprecedented accuracy – making what is already the most successful threat vector even more dangerous. Add in the fact that phishing attacks are exploding in the post-COVID remote workforce (increasing up to 350%, according to one study), and companies are standing at a major crossroads.

 

How to Defend Against AI-Driven Phishing

As generative AI continues to advance and take the world by storm, it’s crucial that security professionals put the proper strategies in place to defend against AI-driven phishing attacks. Here are two of the most impactful ways to do this:

  1. Offer ongoing end user training and awareness programs.

Employees are the first line of defense in a company’s security strategy, and yet they often are also the weakest link. Implement awareness and training programs to make end users aware of AI-driven phishing threats and how to respond if they believe they are the victim of an attack. Additionally, making it easy for employees to report an attack will increase the likelihood of action, which can prevent the attack from spreading across your organization. And importantly, the most effective way to get training sessions to resonate is to offer short, engaging, and frequent sessions (once a month, for example) rather than long, PowerPoint-driven meetings once or twice a year.

  1. Implement phishing-resistant, passwordless authentication.

According to the FIDO (Fast Identity Online) Alliance, passwords are the root cause of more than 80% of data breaches. This is because many users have poor password hygiene, and weak and re-used passwords can be easily phished. If we know the problem – passwords! – then the answer is simple: get rid of them! This can be done with phishing-resistant, passwordless authentication.

As its name implies, phishing-resistant, passwordless authentication, eliminates the reliance on legacy approaches and secures all entities without passwords or shared secrets. It’s what we like to call “no password passwordless,” because most passwordless solutions require a password or other shared human secret. While these solutions might hide the secret from the end user to deliver a “passwordless experience,” behind the scenes, the shared secret is still there and can be stolen and exploited.

When it comes to true passwordless options, there are a broad range of phishing-resistant methods, including FIDO passkeys, Certificate-Based Authentication (CBA), Windows Hello for Business, YubiKeys, smart cards, biometrics, and more – so you have ample choices to find one that best fits your business needs.

By going passwordless, you can take the bait away from phishers – and reduce the successful attack rate on your organization.

 

A Pragmatic Approach to Phishing Resistance

Going passwordless is one of the most effective ways to fight phishing. But the path forward to accomplishing passwordless, phishing-resistance requires some analysis.

While there are many options (as noted above), each has its pros and cons. FIDO passkeys, for example, are unquestionably the future and address some use cases today. But the reality is that there is still work that needs to be done before they take their rightful place as the gold standard. Other options require significant infrastructure, spend, and management.

For most, a hybrid approach likely makes the most sense in the short term. This aligns with what Gartner Research suggested at their recent IAM event. To this end, one of the best options is a combination of CBA and FIDO passkeys. CBA allows you to supplement your existing investments in IAM ecosystems and quickly move to a phishing-resistant model today. And FIDO passkeys will help you future proof your strategy and solve for the long term. We call this pragmatic phishing resistance.

 

Axiad: A Trusted Partner in the Passwordless Journey

The benefits of going passwordless are proven, but we understand that the journey to get there can be daunting – particularly for large organizations with complex, heterogeneous IT environments. Axiad has a pragmatic approach to phishing resistance, including the expertise, experience, and solutions that allow you to balance CBA and FIDO passkeys (and more) to help you secure your future as a passwordless organization while removing your company from phishers’ target lists. To learn more about phishing-resistant, passwordless authentication, download our eBook: “The What, Why and How of Phishing-Resistant MFA.” To find out how we can be your trusted partner in the path to going passwordless, contact us today.

About the author
Joe Garber
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!