What is Phishing?
SANS: “Phishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks or fools their victim into doing something they should not do, such as giving a criminal money, sharing their password, or giving an attacker access to their computer. Cyber attackers have learned the easiest way to get something is to just ask for it.”
A Tale of the Three *ishings: Part 1 - What is Phishing?- Social Engineering - Fool you
- Attack - Request valuable(s)
- Escalate - Use valuable(s) to damage
The Precursor
Phishing was fundamentally limited in providing quality at scale and barrier to entry.
Attackers could blanket attack millions of people but doing so would strip them of the ability to tailor messages to targets and handle back and forth dialogs. It also made those message easily detectable. For many attackers even small scale attacks were difficult due to insufficient technical skills such as linguistic and manipulative skill.
Quantitative improvements came from more people phishing, better tools for fooling people and capturing valuable information in a convincingly legitimate way, and more standardized knowledge of best practices for conning people.
Quality at scale still could not be achieved and equally if not more effective quantitative improvements by defenders were being made.
Significant amounts of human time was required in every quality phish.
"Today, many large language models (LLMs) can search the web in real time. AI agents, capable of autonomously designing workflows and performing tasks, can take it a step further by using the information they uncover to inform their actions.
It no longer seems like hyperbole to imagine an AI-based bot that can perfectly tailor social engineering attacks to specific individuals. All it needs is a threat actor to set it in motion."
Source: IBMAI is bringing qualitative improvement to phishing effectiveness.
AI brings all of these possibilities to phishing making quality at scale an achievable target now.
Soon everyone online will be in the sights of this infrastructure as a potential target to check and perhaps attack.
How Can You Protect Yourself?
Don't take identity for granted, be certain of the identity of those you communicate with. Use out of band communication such as confirming the sender of an email is who you think with a messaged question over Signal (another communication tool) that they are expected to respond back to before continuing the email chain. If you are uncertain about them send a captcha-like challenge with a message that they need to complete to prove they are human challenging limited specialized AI tools. Check the ID proofs they have in their email such as the sender domain and any cryptographic signage if expected.
Look every message sent your way over with a critical eye. The grammar may be better and content more personalized but manipulative messages will still contain the signs of manipulation that stick regardless of the dressing. Look for strong emotions, urgency, similar stories to those in past phishing even if the details are adapted to you. A story like a client needing something that they will cancel service over note getting. Abstract the messages you get from the details for these signs and ensure a back and forth before giving anything important to give youself more time to sound them out.
Be paranoid. This is one of the best defenses you can have. Protecting yourself is a long journey and an attack could sneak in at anytime so be ready. Have tools that help you interact with and check material you get such as DangerZone and SquareX. Use tools like SMSPool and ToS;DR to limit the data you give out limiting the data an attacker can use against you later and possibly scratching yourself out as a target. Evaluate your threat model and find your best workflows so double checking becomes a habit and auto-running becomes an exception.