AI-enhanced cyberattacks are expected to be the top threat to business security in 2025, GetApp’s 6th Annual Data Security Report reveals. Specifically, 37% of IT professionals in the U.S. are most worried about the rise of AI-powered phishing attacks. As generative AI tools can be used to create and automate advanced phishing campaigns, phishing emails have become harder for employees to spot, which makes it easier for criminals to steal money and sensitive information. In fact, these attacks cost businesses roughly $17,700 per minute on average. It’s therefore important you understand the threat of AI-powered phishing, and implement stronger security practices to protect your business, data, and bottom line.
AI-powered phishing: How does it work?
Since the launch of ChatGPT in November 2022, phishing attacks have increased by 4,151%. Cybercriminals can use ChatGPT and similar generative AI tools to compose believable emails without the usual bad formatting, misspelled names, and grammatical errors that typically appear in traditional phishing emails, which tends to make them easier to recognize. Now, with the help of AI, deceptive emails can be crafted with greater accuracy and in a professional tone, so they’re more believable to read. Additionally, generative AI models can also include relevant and current information from reliable news or business sites — all of which makes the email sound legit and more likely to convince the recipient to take the action asked of them (whether that’s to click a link or enter sensitive details, for example).
In fact, some cybercriminals have made their own generative AI models (like WormGPT or PoisionGPT) for the purpose of phishing. These models are accessible via the dark web: a hidden part of the internet that you need special software to access. Notably, hacking tools downloaded on the dark web recently increased by 65%. Although it comprises just 5% of the total internet, the dark web heavily fuels cybercrime, including phishing — with the average data breach now costing businesses $4.88 million. As cybercriminals can easily access tools and resources to launch increasingly sophisticated attacks, you need to prioritize cybersecurity to keep your business safe.
Train employees to recognize AI-enhanced phishing
95% of all cybersecurity problems that affect businesses are the result of human error. So, although AI is responsible for the rise of increasingly-sophisticated phishing threats, human employees remain a business’s weakest security link. It’s therefore vital to train your employees to recognize the signs of AI-powered phishing. As part of cybersecurity training, employees should learn to spot the language phishing messages commonly use. For example, there’s typically a sense of urgency conveyed — you may be pressured to respond immediately or within just several hours.
Similarly, employees should know to verify the email address used in suspicious emails. It never hurts to get in touch with the individual (or organization) who sent the email. But, never reply to the email directly, or use the contact info it contains. Only use contact details already known to be legitimate, or source email addresses/phone numbers from official websites or channels to verify whether or not the email comes from a legitimate sender.
Establish clear reporting protocols
Your employees also need to know how to report suspected fraudulent emails. You may decide to set up a dedicated email account or phone line purely for this purpose. As part of cybersecurity training, explain to employees how and when they should make reports. The earlier a report is made, the easier it is to contain the situation and mitigate damage. You may also want to set up an internal messaging channel where employees can ask each other about suspected phishing emails. This helps create an open, positive, and supportive environment around cybersecurity that makes it easier for employees to speak up when they have a problem.
Level up security with passphrases
Simple cybersecurity practices ward off 99% of attacks. So, if you haven’t already, implement security best practices to protect your network and sensitive data. For example, passphrases are now considered superior to traditional long and complex passwords. Passphrases are a combination of random words that form a phrase or sentence, usually between 40-100 characters in total. As passphrases are much longer than passwords, they become that much harder to crack and can more effectively prevent unauthorized access to accounts and devices.
Over 80% of data breaches also stem from poor, reused, or stolen passwords. Employees should consequently change their passwords/passphrases regularly — once every 90 days is the standard recommendation. However, for accounts that have access to sensitive data, monthly password changes may be more suitable.
AI-enhanced phishing is the latest threat your business needs to defend against. If you take steps to train employees and strengthen basic security practices, you’ll more successfully ward off phishing attempts and keep your business, and its data, safe.