Skip to main content

Social Engineering Attacks & AI

| Chris Sullins

How Personalized Attacks are Changing the Game

As artificial intelligence continues to push the boundaries of technological innovation, it has also provided hackers with new tools to carry out more advanced social engineering attacks. Adding fuel to fire, the shift to remote and hybrid work has increased online interactions, expanding the attack surface for malicious activity.

The foundation of social engineering is in manipulating human emotions to trick people into revealing personal information or compromising security, like clicking on a malicious link. However, AI-powered social engineering goes a step further by creating highly personalized and convincing attacks that are difficult to detect.

How AI Helps Hackers Create Personalized Attacks

With AI, hackers no longer have to spend the time to do their own research creating a profile of you or your organization. Now, they can easily automate the process of gathering large amounts of data about you from social media, leaked databases, or other public information, like real estate transactions or press releases.

Think of all the information that is available about you on social media sites, especially LinkedIn. Hackers can feed this data into a large language model, like ChatGPT, and instruct the model to analyze the information to create tailor-made messages that reference your recent activities, your family, friends and colleagues, and your company. It can even create a personality assessment of you. 

These highly customized messages seem legitimate and the hacker often impersonates an actual person or organization, like a boss or colleague, a journalist, a contractor/vendor, a conference organizer, or even the Department of Labor.

How to Avoid Falling for These Scams

While some hackers are lazy and send emails that include verbiage like, “Certainly, here’s your message translated into professional English,”  many of these AI-generated social engineering attacks are difficult to detect and they’re often able to bypass security and email filters. The key is to remember that social engineering relies on manipulation, which is usually done through emotional triggers, such as fear, urgency, curiosity, the desire to please, or just good old greed (You’re a winner!).

To outsmart scammers, make skepticism a habit by adopting the following practices:

1. First and foremost, be wary of ANY interaction that asks for personal information about you or your organization. Whether it’s an email, text message, or phone call, if someone is asking for personal information like passwords, Social Security numbers, credit card numbers, or financial details, this should always be a red flag. This goes for customer service chatbots too because they can be hacked. And, be wary of those online quizzes, which are another source of data gathering for cybercriminals.

2. Don’t click on links or open attachments without double-checking. This is one of the easiest ways to get hacked in a phishing email. Go to a URL scanner, like VirusTotal, to ensure the link and/or attachment isn’t malicious.

3. Always be suspicious of messages that direct you to log on to a site to change your password or download software updates, even if these are sites you use regularly or software you use.

4. Check the sender’s email address to see if it matches the official domain address of the organization that is supposed to be sending it. For example, companies don’t use public email, like Gmail, so john.doe.microsoft@gmail.com is not a Microsoft email address. Also be careful of cleverly misspelled email addresses, such as john.doe@microsft.com.

5. Always verify requests for sensitive information, especially if it’s urgent or seems unusual, even if the message appears be from your boss or another executive.

Don’t Be a Victim

AI has made social engineering more dangerous by helping hackers create convincing and highly personalized scams. Because online interactions remove the ability to assess the sender’s verbal and visual cues, it’s harder to tell when you’re being deceived. But with a little caution and common sense, you can avoid falling victim to these attacks.