Alarming spike in phishing, BEC and other message-based attacks fueled by weaponization of Generative AI tools
SlashNext, the leader in next gen AI cloud email, mobile, and web messaging security, today released its 2024 Mid-Year Assessment on The State of Phishing. This report is an update to SlashNext’s annual State of Phishing report, which the SlashNext Threat Labs team last issued in October 2023. The surge in phishing attacks reported at that time prompted the team to conduct another comprehensive analysis at the six-month mark to determine if the upward trend was persisting, especially as threat actors continue to leverage generative AI tools to aid their phishing, business email compromise (BEC) and other social engineering attacks.
Fueled by AI-generated attacks, the Mid-Year Assessment revealed a 341% increase in malicious phishing link, BEC, QR Code and attachment-based email and multi-channel messaging threats in the last six months alone. This was on top of a staggering 856% increase in malicious email and messaging threats over the prior 12 months. And, since the launch of ChatGPT in November 2022, there has been a 4,151% increase in malicious phishing messages sent.
“Humans have been, and will continue to be, the weakest point in any organization’s security,” said Patrick Harr, CEO, SlashNext. “There is a reason threat actors continue to iterate on tactics like phishing that have been around for decades – they are highly effective. According to Verizon’s 2024 Data Breach Investigations Report, humans are increasingly falling for phishing attacks and it now takes a median time of only 21 seconds for a user to click on a malicious link, and only another 28 seconds to then enter their personal data. We know from our research these attacks are getting a boost from generative AI tools that are readily available. Threat actors are using gen AI to customize messages for their victims, write more convincing messages, and dramatically accelerate the speed and volume of these attacks with little to no added cost.”
In looking at specific threat types, SlashNext Threat Labs found a 217% increase in credential harvesting phishing attacks and a 29% increase in BEC attacks in the last six months. Losses due to BEC attacks exceeded $2.9B in 2023, at an average cost of $137,000 per BEC incident, according to the recent FBI IC3 Report. In addition, mobile phones have emerged as the most utilized and vulnerable communications channel, with 45% of all mobile threats now being reported as SMS smishing attacks.
CAPTCHA-based attacks, particularly using CloudFlare, are also on the rise and they are being used to mask credential harvesting forms. Attackers are generating thousands of domains and implementing CloudFlare’s CAPTCHAs to hide credential phishing forms from security protocols that are unable to bypass theCAPTCHAs.
“Leveraging legitimate services like Microsoft Sharepoint, AWS, and Salesforce to hide phishing and malware is another favorite tactic employed by threat actors because it preys on users’ trust in these tools,” continued Harr. “In addition to CAPTCHA-based attacks, QR code-based attacks are growing in popularity and now comprise 11% of all malicious emails – often embedded in legitimate infrastructures. The onus should not be on users to identify and avoid sophisticated attacks, especially when the research proves that relying on training and traditional cybersecurity tools is ineffective against modern attack tactics. It’s time to fight AI with AI and implement AI-powered email and messaging security tools that keep malicious messages out of users’ inboxes altogether.”
To counter the growing sophistication of these cyberattacks, the SlashNext advanced gen AI security platform is specifically engineered to identify, anticipate and block complex BEC threats, phishing, and ransomware. Utilizing generative AI, natural language parallel prediction, computer vision, relationship graphs, and contextual analysis, the platform achieves an industry-leading detection rate of 99.99%. Discover more about the SlashNext platform and schedule a demo.
Download the full 2024 Mid-Year Assessment to The State of Phishing report.
SlashNext is cohosting a live webinar with the FBI on Wednesday, May 22 at 11 a.m. PT that will discuss key revelations from the 2024 FBI Internet Crime Complaint Center Report. Register for the live webinar, “BEC, Gen AI and the FBI 2024 IC3 Report: Exploring the Most Dangerous Cybercrime.”
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!
