September 26, 2019

One of the largest tenets for promoting ongoing cybersecurity awareness combined with stringent cybersecurity practices is the constant evolution of attack methods.

The number of cyberattacks faced by companies globally is increasing, cybercrime is on the rise, but so too is the sophistication of attacks.

A World Economic Forum (WEF) blog post penned by WEF’s Centre for Cybersecurity Head of Operations William Dixon and Equifax CISO Jamil Farshchi says “AI is transforming cybercrime,” and that:

“Cyberattacks are becoming more potent thanks to AI – but it’s helping those defending against them, too.”

CEO transfers €220,000 to cybercriminals after AI-powered fake call from his boss

The article uses the example of an artificial intelligence (AI) powered cyberattack which saw the CEO of a so far unnamed UK-based energy firm swindled into transferring €220,000 to what he thought was a supplier. The cybercriminals used AI-based software to impersonate the CEO’s boss at the energy company’s parent organisation during a call to request the money transfer. This according to Wall Street Journal reporting and the company involved’s insurers Euler Hermes. Rüdiger Kirsch, a fraud expert at the insurers is reported by WSJ as explaining:

“The U.K. CEO recognised his boss’ slight German accent and the melody of his voice on the phone.”

In fact, the call was a “voice-spoofing” attack and potentially one of the first of its kind in Europe. Most cybersecurity tools aren’t prepared for fake, AI, voices and security products are only recently emerging which can detect what WSJ describes as “so-called deepfake recordings.”

Knowledge is power

The attack is an important lesson in security awareness. Firstly, companies may need to consider if their cybersecurity protocols need to be ramped up with newer protection vectors. For those that can immediately afford it – that could mean better cybersecurity systems.

But, secondly and potentially more importantly, security awareness of the potential for this kind of attack is paramount. Awareness helps firms prepare, whether that’s with training or capital investment.

Awareness at all levels that this type of attack can occur allows employees, like the victim CEO, the opportunity to request simple verification of the contents of a telephone request. Maybe, had he known attacks of this nature happen he could have asked questions only his real CEO might know or asked for the request in writing, for example.

Of course, that doesn’t offer complete protection and we don’t know his level of awareness or all the details. Cybercriminals equipped enough to use AI may also have access to detailed information or email accounts, but it could offer an extra layer of security that certainly wouldn’t hurt.

Executives responsible for authorising large and fast payments could even set passwords for just such requests. It’s a thought, it’s down to CEOs, CTOs and CISOs to add in the protection they need once they are aware of the threat and pass that security awareness throughout a business. Organisations can be attacked and infiltrated at any level.

Cybercriminals will adopt anything that works – including new technologies

Philipp Amann, Head of Strategy at Europol’s European Cybercrime Center told WSJ that it is hard to predict whether more AI-enabled cyber attacks are likely but that cybercriminals are more likely to use the technology if it works. WSJ writes:

“The attackers responsible for defrauding the British energy company called three times, Mr. Kirsch said. After the transfer of the $243,000 went through, the hackers called to say the parent company had transferred money to reimburse the U.K. firm. They then made a third call later that day, again impersonating the CEO, and asked for a second payment. Because the transfer reimbursing the funds hadn’t yet arrived and the third call was from an Austrian phone number, the executive became suspicious. He didn’t make the second payment.”

Cyberthreats are evolving to incorporate new technologies and to bypass cybersecurity, the WEF article confirms:

“Certain use of powerful developing technologies such as AI, 5G, biometrics and new encryption technologies will change the landscape of cybercrime for both attackers and defenders.”

Equifax and the WEF are planning events to explore how AI will change cybersecurity, they say:

“Cybercriminals are adept at adopting any techniques or innovations that give them an edge over cybersecurity defences.”

The expert partnership suggests AI could increase both the volume, through automation, and sophistication of cyberattacks. But companies can fight back by using AI and automation to add efficiencies to their own cybersecurity systems. The time taken for routine security processes could be reduced, lessening the “friction associated with following security requirements.”

Fight AI risk with AI response, but start with security awareness

Using AI and automation for security processes could free more human time for other aspects of defence, like security awareness and future planning. Fighting AI-powered cyberthreats with artificially intelligent cybersecurity is the very near future, especially for big business. These threats and the opportunities to use new technology to defend against them will become a risk and a potential response for all.

Here at The Defence Works we focus on delivering security awareness training to help business plan and build their own defences and empower all employees to understand potential cyberthreats and how to overcome them to the best of their abilities.

Share this: