Yes, cybercriminals are out to get you too – with a little help from AI

Sep 28, 2023

12 mins

Yes, cybercriminals are out to get you too – with a little help from AI
author
Rozena Crossman

Journalist and translator based in Paris, France.

New developments in artificial intelligence are making digital crimes easier to commit than ever – and it’s not just big companies that need to take care. All kinds of workers, from freelancers to admin staff to top executives – and everyone in between – are vulnerable. Just what kind of a threat do they pose? And what can you do to make sure you are protected? Welcome to the Jungle asked cybersecurity experts for their best advice as to what’s going on and how you can protect yourself.

Cybercriminals don’t often make the news, but when they do, usually it is because they have been caught attacking big businesses or governments. So it’s easy to assume that it’s best left to the professionals to worry about. Maybe you’re just an average specimen of the labor market working for a small, local business. Or maybe you’re a freelancer churning out content for various clients. Or perhaps you are just one of many cogs in the wheel of a big corporation. You don’t earn a ton of money, have access to national secrets, and you’re not responsible for any big business decisions. Why would a cybercriminal target you? Because AI advancements are increasing productivity in every industry — including cybercrime, according to industry insiders.

“Those same trends that generate business efficiency — the cloud, macro technology trends, mobile — hackers are using those exact same technology trends to become more efficient,” says Greg Wetmore, vice president of product development at Entrust, a cybersecurity firm. The latest tech trend to benefit these bad actors is generative AI, aka the algorithms that create content based on whatever you ask them. In a matter of seconds, generative AI tools such as ChatGPT and GitHub Copilot can write an email in the exact tone of your boss or spit out code for malicious software.

“Hacking is a business. These entities operate as businesses,” says Wetmore’s colleague Anudeep Parhar, Entrust’s chief operating officer. “If they see value in large businesses, that’s what they go after. But if you think about ChatGPT now, it gives them the multiplier effect. You could scale so fast that it is actually beneficial for them to go downmarket to individuals and small businesses as well.”

The average amount companies worldwide with less than 500 employees lose when a hacker gains access to their confidential data is $3.31 million — that’s a 13.4% increase from last year, according to a 2023 report from IBM. And the insurance firm Hiscox, which surveyed more than 5,000 employee cybersecurity strategists, found that businesses earning $100,000 to $500,000 are susceptible to as many cyber attacks as companies making $1m to $9m annually. “I fully expect that [hacking] is going to open up to individuals and small businesses because now, at scale, that’s going to become a lucrative business for a lot of bad actors,” says Parhar. “They could go after one large company which has a lot of controls, or they can go after 10,000 small companies that don’t have enough controls.”

Who is vulnerable to attacks?

Employees at large corporations aren’t off the hook either. All it takes is a single worker clicking on one bad link to send a virus through a company’s system. Independent contractors also need to watch out: Hackers know they may be working with juicy clients and privy to useful information, yet lack their clients’ resources to block cyberattacks. That’s when hackers use something called ‘chaining,’ according to Shishir Singh, executive vice president and chief technical officer for Blackberry’s cybersecurity products. “If [a hacker wants] to get to somebody, [they] need to know how [they’re] hoping to get there. So if people know that I’m close to my CEO, they can get to me to get to my CEO,” says Singh.

Any workers speeding up their tasks with public bots such as ChatGPT are putting themselves at even greater risk, as all the information typed into a question or command is stored by the bot and can be hacked back out. Just take the recent Def Con hacking convention, where Google, OpenAI, Meta and other generative AI leaders invited over 2,000 hackers to test the security of their bots. Many flaws were exposed, such as one cybersecurity student who extracted credit card information just by typing in the right prompts. This new hacking technique, known as “prompt injection,” doesn’t even require coding knowledge. While many of America’s largest employers have banned their staff from using these bots at work for the time being, that could change fast. LinkedIn’s latest Future of Work Report found that 40% of US executives think “generative AI will lead to more revenue opportunities in the coming year,” and Gartner reports that 70% of the organizations it polled are exploring ways to use this new tech.

“No company is immune, I can tell you that much,” Singh says. And hacking continues to expand, as one BlackBerry report estimates about 11.5 cyberattacks were sent out every minute between March and May 2023 — a 13% increase on the same period last year.

With this in mind, Welcome to the Jungle has investigated how today’s hackers work, what they’re after and how you can avoid being the employee who accidentally exposed their company to a big fat cyberattack.

The three things you need to protect

Much like the structures that support our physical world, there is now a whole digital ecosystem that we depend on heavily. Disruptions to these systems can cause severe harm. These are seen in the form of power outages, ransomware attacks at hospitals or disruption to oil pipelines so essentials such as food and medicine can no longer be transported. Cybercriminals are essentially predators who understand these systems better than most of their prey, striking at three fundamental parts of digital communication: identity, infrastructure and data.

1. Identity

From your customers to your colleagues, almost everyone uses “some sort of digital identity to identify themselves, to communicate with each other, to access resources, which are either company resources, public resources or customer resources,” says Parhar. These identities are made up of credentials such as your username, password and other account information. According to Verizon’s 2023 Data Breach Investigations Report, one of the three main ways bad guys get access to a business’ infrastructure or data is through compromised credentials. But it also leads to other ways of causing mayhem. “If I know somebody’s credentials, essentially, I can impersonate them and do whatever they can do,” Parhar says. “Somebody can send malicious emails, or they can steal your documents. They can put in ransomware-type attacks where they bring your system to a halt. They can take your data.”

2. Infrastructure

Metaphorically speaking, cyberinfrastructure is the streets and buildings that contain the digital world. It’s where all the identities interact with each other and where data is kept. From wi-fi networks to the cloud, these systems store and transport sensitive information — and, therefore, are hot targets for attacks.

3. Data

Aka information, which is what many hackers are after. Often, they go for obvious booty such as banking details or trade secrets. In May, the personal data of 237,000 current and former federal government employees was exposed in a data breach. Sometimes, they’ll leverage the theft of more mundane data. Twitter learned this the hard way in January when a hacker under the pseudonym “Ryushi” threatened to publish the emails and phone numbers of over 400 million users unless the company paid him $200,000. But compromised data can also wreak other types of havoc, such as the Saudi Aramco data breach when a political opponent found and deleted the company’s data, erasing 30,000 company computers in one day.

How you could get attacked

Cybercrime is a creative industry, and there are myriad ways to pounce on someone who is working online, whether as an employee or a freelancer. Here are a few common tricks cybercriminals use, and how generative AI is ramping them up.

Phishing

Emails or texts sent from bad actors trying to trick you into sharing confidential information or clicking on a link that’s infected with malicious software (“malware”) are called “phishing scams, and they are the primary source of most attacks, according to Singh. “That’s where it starts.” Singh gives an example he sees frequently: “Let’s say I’m trying to get to you and through you to others. I’ll send one document saying, ‘Hey, you have been promoted. Here is your new paycheck with an increase.’ I have inserted something into the Microsoft Word document or Microsoft Word Excel, and as soon as you click on that Word document the whole system gets infected. And then the software gets used by somebody else. Now, I’ve infected 2,000 people right there.”

Previously, most of these fake messages were easy to detect, as they were often written by non-English speakers or primitive bots. But with generative AI like ChatGPT, “the days of getting a phishing email where the grammar is bad and the spelling is bad, and you can kind of tell that it was generated by a machine — those days are essentially gone,” says Wetmore. “Because you can create content that is very convincing, as if your CEO wrote it, or as if your grandmother wrote it.”

Generative AI also makes it easier for phishing attacks to migrate from email to social media, as these bots’ impressive ability to create images and imitate writing styles makes it easier to tailor the scam to the victim. “LinkedIn is a perfect example,” says Singh. “If somebody wants to know about my background or who I am, where I’ve gone, which colleges I’ve gone to, it’s very easy [to get the] information. They can go to LinkedIn and they can pretend that they are one of the interested parties and want to be connected with me.”

Cracked passwords and stolen credentials

You don’t need to click on an infected link to have your password stolen. PassGAN, a generative AI tool, sifts through a dataset of real, leaked passwords to help hackers figure out what yours might be. One study by Home Security Heroes found that PassGAN can crack 51% of common passwords in under a minute and 81% in under a month.

Bad actors also use other types of AI to snag your password. Researchers from three British universities recently used deep learning to decipher passwords by listening to their typing. For the time being it’s more common for a victim to unwittingly put their information into one of the many fake websites, which are proliferating thanks to how fast hackers can produce code, text, images and audio with generative AI. One journalist used an AI-generated voice to hack into a bank account, as the phone banking service used voice recognition instead of passwords. “I think every organization, small or large, needs to understand that almost every [data] breach nowadays starts with some kind of credential theft,” says Wetmore.

Attacks through public wifi

You’re riding the telework wave and talking to your boss on Slack from a café, unaware that someone is using the café’s wifi to intercept your communications. Known as a Man-in-the-Middle attack, this digital form of eavesdropping is just one way hackers can use a public wifi connection against you. They can also take advantage of these less secure connections to spy on what you’re doing online, or install malware on your work device. As a cybersecurity professional, Singh feels that “life was easy 20 years back when an office was your workplace. Now, there is nothing called ‘office’ as your workplace. You are sitting in an airport. That’s your workplace. You are sitting in Starbucks. That’s your workplace. You are traveling. It doesn’t matter where you are. Now, that has opened a lot of backdoors for hackers to come in.”

Generative AI has sped up the coding process necessary to carry out these kinds of attacks, with spin-offs of ChatGPT cropping up to help hackers use this new tech while circumventing ChatGPT’s guardrails against cybercrime. Though Singh has yet to see generative AI help create certain types of malware, he’s “sure it’s a matter of time until we will see that generative AI is being used to generate that complex code.”

Blackmail

Once a cybercriminal has access to sensitive data, it’s a common tactic to hold the data hostage or threaten to leak it to the public unless the hacked party pays up. But generative AI is making it easier to blackmail victims without even hacking into their accounts. One mother in Arizona received a frightening phone call from her kidnapped daughter, only to find out the perfectly identifiable voice had been fabricated by AI. Whether they’re video or audio, these deepfakes “sound like the person you’re expecting to hear, or looks like the person you’re expecting to see, asking you to do something,” says Wetmore.

This also represents a reputational risk for businesses, explains Singh. “For example, they can be used to imitate a company’s CEO making polarizing statements on sensitive political issues and impacting the share prices, or defaming him in any kind of context,” Singh says. “From a business perspective, deepfakes are ideal for scams. And the goal is to get more money or access to sensitive company data.”

How to protect yourself

Global cybersecurity doesn’t need to be hard, according to Wetmore. Here are some best practices to keep your work safe:

Strong passwords

Weak, obvious passwords are one of the biggest issues keeping cybersecurity experts up at night. Despite many websites insisting on a character minimum, numbers, letters, symbols, virtual private network (VPN) provider NordPass found that “password” and “123456” were the two most commonly used passwords in 2022. That’s a far cry from Home Security Hero’s recommendation of using a password over 18 characters with a mix of numbers and letters to be well protected against generative AI password crackers. Singh, Parhar and Wetmore insist that good “password hygiene” includes using different passwords for every website, including a mix of numbers, symbols and letters in upper and lower case, not using any personal information, such as birthday or your dog’s name, or even words you could find in a dictionary. Wetmore encourages everyone to take advantage of the settings on most Mac and Windows laptops that allow users to set strong passwords for their laptop and drive.

These experts also insist on multi-factor authentication: You enter your password into a website, the website then sends you a code by text or email, and you enter that code back into the website. Requiring both the correct password and access to a person’s phone or email makes hacking harder, but as hacking advances, these obstacles become easier to thwart. In fact, Wetmore is working to replace passwords with biometrics such as fingerprints and eye scans.

Use separate computers and phones for work and personal life

Accidents can happen so keep your work and personal devices separate. “Look for much more sophisticated mobile device management,” Singh advises, “so that your personal data and your business data is kept separately. [Otherwise] that puts a lot of risk on the business.” Imagine if you accidentally click on a bad link in your personal email that sends password-cracking malware throughout your whole computer — where your work email is also logged in. Singh advises having computers and phones that are used only for work and that give the employees access to only a few necessary applications. He says that many companies use unified endpoint management software that allows IT teams to monitor all employee devices and detect any unusual, potentially dangerous activity.

Confirm who an email is from

Think twice before clicking on the attachment of an email from your boss announcing you’ve got a bonus — even if it’s written in their exact voice. “Question the email that came in,” says Wetmore. “Is this a legitimate request? Maybe follow up with a phone call to say, ‘Is this really something I should do?’”

Encrypt your data

Encryption” is a cybersecurity method that encodes your data by scrambling it up, and only someone with the right digital key can de-scramble it. This means that even if a bad actor somehow gets access to the encrypted files, they can’t read them. So it’s best practice to make sure extra encryption is turned on in all the devices and services you use, from your Macbook to your Google Drive.

It’s important to note that entering your password into a system is what unlocks the keys to decrypt your data. The importance of strong passwords can’t be emphasized enough!

Take precautions with public wifi

If you work in a number of different places, such as cafes or co-working spaces, Singh highly recommends installing a VPN. This encrypts the transmission of your data and protects your online identity, making it harder for hackers to target you.

Other general tips include: disabling your phone’s ability to automatically connect to hotspots, and avoiding any websites or apps where confidential data is stored. (Don’t do your banking at Starbucks.) Try to avoid wifi networks that aren’t password-protected. Change your browser settings to “Always Use HTTPS,” which encrypts web traffic communications with a server.

Know how your sector is impacted

Keep up to date with developments. “You really need to be aware of what’s happening around you in your industry,” Singh says. “Let’s say you’re in the banking sector: You really want to know which other banks are being impacted, what kind of vulnerabilities are being exploited, what kind of exploits are being used, so that you can be much more predictive. You can actually remediate those things, the open vulnerabilities, before they come to you.”

Don’t get caught out

The hacker may be someone you know as “internal actors” are responsible for 19% of data breaches, according to Verizon’s data breach report. This means the call is coming from inside the house, be it an employee with a grudge or a money-hungry freelance consultant with access to their client’s systems. “Some disgruntled employees will delete everything on their servers before they leave because they were fired,” says Parhar. IBM estimates these insider attacks cost companies an average of $4.9 million. So if your job really is unbearably boring, consider a career pivot to cybersecurity.

Photo: Welcome to the Jungle

Follow Welcome to the Jungle on Facebook, LinkedIn, and Instagram to get our latest articles every day, and don’t forget to subscribe to our newsletter!

Topics discussed