Employees gather around desk computer in office

Social engineering is a cunning cyberattack technique that exploits deception and manipulation to coerce individuals into disclosing their personal information, such as passwords, credit card numbers, or bank account details. These attacks can take various forms, including phishing emails, fraudulent calls, or bogus websites. Unfortunately, social engineering attacks are evolving and becoming more convincing thanks to generative AI.

What is generative AI?

Generative AI is a technology that can create authentic content, such as text, voice, or images, based on data or examples. While it has legitimate uses in fields like art, entertainment, and education, it's also being harnessed for nefarious purposes, making social engineering attacks harder to detect and more effective.

For instance, cybercriminals can employ generative AI to craft fake emails that mimic the writing style and tone of someone you know, like your boss, colleague, or friend. These deceptive messages might instruct you to click on a link, open an attachment, or share sensitive information. The consequences can be dire, ranging from phishing schemes to malware infections or identity theft.

Similarly, generative AI can be used to fabricate fake voice or video calls that sound or look like they're from trusted contacts. These fake calls may request confirmation of personal details, demand payments, or prompt you to download files. Falling for these tricks can lead to identity verification, unauthorized transactions, or malware infections.

6 ways to detect social engineering attacks

So, how can you detect and prevent these generative AI-powered social engineering attacks?

  1. Sophisticated language and writing style: Be cautious of emails that use overly formal or unusual language that doesn't align with the typical communication style of the organization. AI can mimic legitimate writing styles effectively.
  2. Personalization: Pay attention to emails that include specific personal details or references that only someone with insider knowledge would possess. This level of personalization is a hallmark of AI-generated phishing attempts.
  3. Realistic sender names and addresses: Verify the sender's email address and domain carefully. AI can craft sender names and addresses that closely resemble legitimate ones, making it challenging to spot fake messages.
  4. Dynamic content: Be skeptical of emails that appear to react to your actions, such as changing content based on whether you click a link or open an attachment. AI-powered phishing emails can generate dynamic content to deceive recipients.
  5. Emotional manipulation: Watch out for emails that attempt to evoke emotions like fear or urgency to manipulate you into taking quick actions. AI-generated phishing emails may play on your emotions to deceive you.
  6. URL manipulation: Hover over links in emails to reveal the actual URL before clicking. AI can create deceptive URLs that closely resemble legitimate ones, making it crucial to verify links' authenticity.

These factors are particularly critical because they address various tactics cybercriminals use to make their phishing emails appear convincing and authentic. Staying vigilant and applying these checks can help you avoid falling victim to AI-driven phishing attacks.

By being aware of the most common cyberattacks—and how to avoid them—individuals can protect themselves and the things they care about. Learn more in our Cyber Resource Center.