How AI and deepfakes are redefining social engineering threats

This article presents key insights from 2024 reports on the rise of phishing attacks, focusing on how advancements in AI and deepfake technology are making social engineering tactics more sophisticated.

Cybercriminals exploit file sharing services to advance phishing attacks

Examining data collected between June 2023 and June 2024, Abnormal saw file-sharing phishing volume more than triple, increasing 350% over the year. The majority of these attacks were sophisticated in nature, with 60% exploiting legitimate domains, most commonly webmail accounts, such as Gmail, iCloud, and Outlook; productivity and collaboration platforms; file storage and sharing platforms like Dropbox; and e-signature solutions like Docusign.

AI-driven phishing attacks deceive even the most aware users

 GenAI tools enhance the credibility of phishing communications by eliminating spelling and grammatical mistakes. Moreover, GenAI can quickly create sophisticated phishing pages or extend its capabilities to generate malware and ransomware for secondary attacks.

AI set to play key role in future phishing attacks

In 2021 and 2022, QR code payloads in phishing emails were relatively rare – accounting for 0.8% and 1.4% of attacks respectively. In 2023, this jumped to 12.4% and has continued at 10.8% for 2024 so far. Social engineering has also increased, now representing 19% of phishing attacks and phishing emails are over three times longer than they were in 2021, likely due to the increase in use of GenAI.

Image-based phishing tactics evolve

93% of IT and security professionals are aware of image-based phishing attacks targeting their organizations, and 79% say the same about QR code attacks. 76% of organizations were still compromised by image-based and QR code phishing attacks over the past 12 months.

95% believe LLMs making phishing detection more challenging

81% of reporting businesses have seen increased phishing attacks in the past year. Phishing will remain the top social engineering threat to businesses throughout 2024, surpassing other threats like business email compromise, vishing, smishing or baiting. While 88% of respondents feel confident in their phishing testing programs, only 16% of users identify 75-100% of suspicious activity within these phishing testing programs.

Organizations need to switch gears in their approach to email security

96% of surveyed organizations experienced negative impacts from phishing attacks, which is a jump of 10% versus last year’s report (when the number sat at 86%). Findings from the report show that leaders are taking a tough stance with employees caught by phishing attacks with negative outcomes for the people involved happening in 74% of companies.