Give a guy a fishing kit and you might get lucky a few times. If KnowBe4’s latest phishing trends report is accurate, teaching AI to phish will change the game forever.
The cybersecurity and phishing awareness organization released the seventh edition of its Phishing Threat Trends Report on Thursday. Thanks to the proliferation of AI, many phishers on the internet seem to be turning to it in more ways and more often than ever before.
According to the report, nearly 86% of phishing campaigns discovered by threat researchers at KnowBe4 over the past six months included the use of some form of AI. This has also increased slowly and steadily over the past two years. In 2024, 80% of phishing campaigns will use AI, and last year, 84% used AI. This suggests that holdouts are increasingly deploying AI technology to expand their reach.
While these numbers may be alarming enough, KnowBe4 points out that the biggest problem is how AI is used. Well-written and highly personalized phishing messages created by AI are bad enough, but AI is also automating the reconnaissance and intelligence-gathering stages of campaigns, speeding up the phishing process and giving attackers more time to move to multiple attack vectors to better gain the trust of their victims.
While the report does not summarize the vectors as a percentage of overall phishing attacks, it notes a 49 percent increase in phishing attacks involving calendar invites, and a 41 percent increase in attacks involving Microsoft Teams messages impersonating co-workers, such as IT support employees, to collect credentials and more.
Savvy multi-vector phishing operations still often begin with email, and this is one of the big areas where AI is expanding the phishing landscape, according to the report. Automated reconnaissance allows attackers to comb through large amounts of information to extract targeting data and feed it into AI-generated email lures. These diverse phishing campaigns utilize a basic template and arrange it to make it unique to each individual. The result is a phishing message that is far less likely to be noticed than a typical phishing message that relies on misspellings and poor grammar to exclude users who are capable of critical thinking.
Data from the report suggests that email is just the beginning of modern phishing campaigns, as calendar invites and a rise in malicious Teams messages are often the second stage of an attack.
IT teams are one of the most common groups impersonated through phishing attacks, so it’s easy to imagine a phishing email followed by a Teams message from someone claiming to be from your help desk, asking you to click a link to reset your password or read and sign a new policy via DocuSign. Both methods ultimately provide the attacker with credentials or remote access, giving them what they were after.
According to Microsoft, AI-powered phishing campaigns are 4.5 times more effective than human-authored phishing campaigns. Meanwhile, the FBI announced that cybercrime losses in the United States reached a record $20.87 billion last year, with phishing scams being the most common complaint, with AI-related scams accounting for about $893 million of that amount. ®
