Generative AI will enable anyone to launch sophisticated phishing attacks that only next-generation MFA devices can stop
The least surprising headline of 2023 is that ransomware is once again setting new records for incidents and damage caused. We see new headlines every week, featuring a who’s who of well-known organizations. If MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace and many others couldn’t stop the attacks, how could anyone else?
Phishing-driven ransomware is a cyber threat that is bigger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are caused by phishing attacks, causing economic losses totaling more than $10 billion. A Splunk report shows that 96% of companies have been hit by at least one phishing attack in the past 12 months, and 83% have been hit by two or more.
Over the past 20 years, those of us working in the cybersecurity field have witnessed incredible advances in defense. The only thing that hasn’t progressed is humanity. Users in every organization are no more advanced than they were twenty years ago in preventing cyberattacks. This is why phishing is so effective against cybercriminals – because it exploits human weakness, not technology. This makes traditional MFA the most critical defense mechanism. Guess what, most companies are using the same 20-year-old traditional MFA technology.
That’s why things get worse. With the rise of generative artificial intelligence (GenAI), cybercriminals are able to take phishing to a whole new level, making every attack nearly impossible for users to identify, and attackers can now do it effortlessly. Read on to learn why and what you can do about it.
What does GenAI have to do with phishing?
Phishing uses deceptive communications (emails, text messages, and voice messages) to trick users into revealing sensitive information, including login credentials, passwords, one-time passwords, personal information, and clicking on fake approval messages.
Cybercrime groups are learning to harness the power of GenAI tools, such as scam versions of ChatGPT, to create more convincing and realistic phishing messages. This highly personal and context-aware text is virtually indistinguishable from normal human communication. This makes it difficult for recipients to distinguish between real and fake messages. The LLM also allows almost anyone (not just hacking experts) to launch a phishing attack.
Additionally, traditional anti-phishing solutions are unable to effectively detect the latest phishing messages created by GenAI. GenAI content lacks telltale signs of phishing, such as typos or common language. Phishing detection tools rely on pattern recognition and known phishing indicators that no longer exist. Perhaps even more concerning, GenAI tools enable cybercriminals to conduct highly targeted phishing campaigns at scale. Threat actors can now automatically generate a nearly unlimited number of customized phishing messages for a wide range of victims.
Changing anti-phishing strategies
The explosive growth of GenAI-powered phishing attacks raises a big question: Will we be able to spot hyperreal fakes? Are we losing the fight against phishing?
This issue has prompted many companies to re-examine their anti-phishing strategies. To combat phishing attacks head-on, they must upgrade the primary targets of phishing: credentials and legacy MFA. Eliminate reliance on traditional credentials with passwordless and replace 20-year-old legacy MFA technology by implementing next-generation MFA.
Smart companies are moving away from usernames and passwords to passwordless authentication. However, these solutions, while a huge leap forward, have their limitations. Lost, stolen or damaged non-biometric devices can be used for unauthorized access, and mobile phones and other BYOD devices are outside the control of the organization and are susceptible to all types of malware downloaded by users.
For these reasons and others, security-first companies are deciding to move to next-generation multi-factor authentication.
Next generation MFA: Disrupting the phishing attack surface
Next-generation MFA replaces traditional credentials, password-based authentication, and inconvenient and vulnerable legacy MFA solutions. The next generation MFA paradigm relies on physical wearable devices that are FIDO2 compliant, which remove the human element from phishing, making them virtually phishing proof. These cutting-edge biometric wearables also protect organizations from BYOD vulnerabilities, lost and stolen credentials, weak passwords, credential stuffing, MFA prompt bombing, and SMS one-time passwords that are easily stolen. Unlike traditional MFA, attackers simply cannot bypass next-generation MFA through malware, MFA fatigue attacks, adversary-in-the-middle (AiTM) attacks, and other methods. Because the authenticator remains with the user at all times, wearable, next-generation MFA tokens are always secure and immediately available for authentication. Only authorized users can use the device, and no attacker can access the secrets, keys and biometric information stored on it.
GenAI is powering the coming tsunami of phishing attacks that effectively eliminate traditional phishing defenses and render traditional MFA obsolete. Wearable, next-generation MFA devices such as Token Rings block the most sophisticated phishing attacks and are the best defense against the coming phishing apocalypse.
Visit tokenring.com to learn more about how Token’s next-generation MFA can stop phishing and ransomware from harming your organization
