You may hear that 2025 will be the year of artificial intelligence (AI) cybercrime. But the trend really started in 2024.
AI crimes will become so overwhelming that some say the only way to combat them is with AI security software. But two incredibly simple, low-tech, common-sense techniques have recently emerged that should become everyone’s default choice in business and personal contexts. (I will tell you about the following).
First, let’s understand how bad guys use AI.
The clear and present danger of AI-powered attacks
We are already seeing attackers using AI to generate phishing emails with perfect grammar and personalized details for each victim. Not only is English grammar perfect, but with AI, any attack can be performed in any language.
It is even “democratizing” the ability to launch thousands of simultaneous attacks, a feat previously only possible through large-scale attacks by nation-states. The use of swarms of AI agents in 2025 will create a new and urgent risk for companies.
Phishing and malware, of course, facilitate multifaceted ransomware attacks that have wreaked havoc on healthcare organizations, supply chains, and other targets. Global ransomware attacks are It is expected to cost more than $265 billion a year. by 2031, thanks in part to the power of AI in these attacks.
The increasing quality of deepfakes, including real-time deepfakes during live video calls, invites scammers, criminals, and even state-sponsored attackers to convincingly bypass security measures and steal identities for all kinds of nefarious purposes. AI-enabled voice cloning has already proven to be a boon for phone-related identity theft. AI allows malicious actors to bypass facial recognition. protection And AI-powered bots are being deployed to intercept and use one-time passwords in real time.
More broadly, AI can accelerate and automate virtually any cyberattack. Automated vulnerability exploitation, which allows malicious actors to quickly identify and exploit weaknesses, is a major advantage for attackers. AI also increases detection evasion, allowing attackers to maintain a persistent presence within compromised systems while minimizing their digital footprint, magnifying the potential damage of the initial breach.
Once large amounts of data are breached, AI is useful in extracting intelligence about the value of that data, allowing for rapid and thorough exploitation of the breach.
State-sponsored actors (especially Russia, Iran, and China) are using AI deepfakes as part of their broader election interference efforts in democracies around the world. They are using AI to create memes that impersonate or smear candidates they oppose and to create more convincing puppet accounts, complete with AI-generated profile pictures and AI-generated bot content on a massive scale; The goal is to create astroturf campaigns that can influence elections.
Rise of AI-powered spyware
A new HBO documentary from journalist Ronan Farrow, “Guarded”, investigates the rapidly growing multi-billion dollar industry of commercially available spyware. The most prominent, and probably the most effective, of these products is NSO Group’s Pegasus spyware.
According to the documentary, Pegasus can allow an attacker to remotely turn on a phone’s microphone and camera, record audio and video (all without any indication on the phone that this recording is taking place), and send that content to the attacker. You can also copy and leak all phone data.
While Pagasus itself does not contain or use AI, it is used in conjunction with AI tools for targeting, facial recognition, data processing, pattern recognition, and other work.
NSO Group claims it sells Pegasus only to governments, but this claim has not yet been independently verified and no regulations govern its sale.
Two Simple Solutions Can Defeat AI-Powered Attacks
Tips to protect an organization from AI-powered cyber attacks and fraud are well known.
- Implement a robust cybersecurity policy and employ strong authentication measures, including multi-factor authentication.
- Regularly update and patch all software systems.
- Educate employees on cybersecurity awareness and best practices.
- Deploy firewalls and endpoint protection solutions.
- Secure perimeter and IoT connections.
- Adopt a zero-trust security model and apply the principle of least privilege for access control.
- Back up critical data regularly and encrypt sensitive information.
- Conduct frequent security audits and vulnerability assessments.
- Implement network segmentation to limit potential damage from breaches.
- Develop and maintain an updated incident response plan.
- Consider a human-centric security approach to address human error, a major factor in successful cyberattacks.
Combine these practices and you can significantly improve your organization’s cybersecurity posture and reduce the risk of successful attacks.
Although effective, such solutions are expensive, require expertise, and require continuous iterative efforts by large numbers of employees. They are not something that one person can do.
So what can each of us do to better protect ourselves against AI-enhanced attacks, fraud, and spyware tools on our smartphones? In addition to the usual best practices, the FBI and Farrow highlight two simple, easy, and completely free techniques for powerful protection. Let’s start with the FBI.
The FBI recently issued a Warning about criminals exploiting generative AI. commit financial fraud on a larger scale. The warning is aimed at consumers rather than businesses, but its solution can work on a small scale within a team or between an executive and his assistant.
After listing the many ways scammers can use AI to steal identities, impersonate people, and socially engineer their way to committing scams and thefts, they say an effective way to quickly verify identity is to use a secret word.
Once established (not in writing…), the secret word can serve as a quick and powerful way to instantly identify someone. And since it’s not digital or stored anywhere on the Internet, it can’t be stolen. So, if your “boss” or spouse calls you to ask for information or transfer funds, you can ask for the secret word to verify that it is really them.
The FBI offers other tips, such as limiting audio, video or images posted online and always hanging up and calling the person back at a known number. But the secret word is the most useful tip.
Meanwhile, in his documentary, Farrow emphasizes a simple way to thwart spyware: restart your phone every day. He notes that most spyware is removed with a reboot. Therefore, restarting every day ensures that no spyware is left on your phone.
It also emphasizes the importance of keeping the operating system and applications updated to the latest version. That’s my advice too. Use general good practices to the extent your budget allows. But establish a secret word with coworkers, bosses, and family.
And restart your phone every day.