AI to Raise the Stakes for Phishing by 2025 – Take Away Attackers’ Favorite Tool First

Don Shin | February 13, 2024

Security leaders walk a fine line between avoiding future risks and putting out fires that could burn the house down right now. New research shows it may be time – and a better use of budget – to shift more resources toward prevention.

In a new report titled, The near-term impact of AI on the cyber threat, the National Cyber Security Centre (NCSC) of the UK provides an update on the use of artificial intelligence (AI) in cyberattacks and its impact on threats. Suffice to say the news aren’t good.

Most CISOs and other security executives already know AI is fueling the growth of billion-dollar phishing- and ransomware-as-a-service (PhaaS, RaaS) industries, taking DDoS attacks to a whole new level, and, as the report points out, “lowering the barrier of entry to novice cybercriminals, hacker-for-hire and hacktivists.” What does come as a bit of a shock, however, is just how fast this may be happening.

AI-led attacks to overwhelm cyber defenses by 2025

The NCSC, part of the UK’s security intelligence agency, warns that by 2025:

“Generative AI and large language models (LLMs) will make it difficult for everyone, regardless of their level of cyber security understanding, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing or social engineering attempts.”

Despite decades of training users to spot phishing attempts, the rise of tools like ChatGPT more than levels the playing field. The report further warns:

“AI will primarily offer threat actors capability uplift in social engineering. Generative AI (GenAI) can already be used to enable convincing interaction with victims, including the creation of lure documents, without the translation, spelling and grammatical mistakes that often reveal phishing. This will likely increase over the next two years as models evolve and uptake increases.”

As AI tools become more proficient, spotting subtle nuances in branding, images, and phraseology only gets harder. And, automated attacks can run the numbers at blazing-fast speeds to find any path left unguarded.

The bottom line is that, while the good guys are racing to build more AI into cyber defenses, the timing for AI clearly favors attackers. The sheer volume of marketing emails and texts we get these days, coupled with bot-driven machine-speed attacks makes securing authentication and identity verification that much more critical, but exponentially more difficult as well.

But there is hope . . .

AI can’t phish what doesn’t exist

Phishing still works too often, making it fast and easy for imposters to break in, impersonate users, take over accounts, and exfiltrate data before tripping alarms. The projected use of AI suggests phishing will remain attackers’ favorite tool of choice, and the bane of security teams’ existence for the foreseeable future.

So, if even today’s AI-powered security controls can’t spot every duplicitous email or text — and training can’t stop users from taking the bait — CISOs’ obvious move is getting rid of user login credentials that make phishing so easy.

MFA doesn’t go far enough

When the subject of phishing comes up, security leaders’ first response is often that, “We just rolled out MFA to help with that.” And MFA does make it harder for someone to complete a login sequence without having the right mobile phone, fingerprint or hardware token.

Harder, but not hard enough, and far from impossible. Even with MFA becoming fairly ubiquitous, phishing continues at warp speed, with a whole new class of attacks targeting authentication itself:

  • Man-in-the-middle (MITM) attacks divert users to spurious login pages to capture real credentials
  • SIM swapping attacks use social engineering to convince carriers to switch mobile accounts to hacker-owned devices
  • MFA fatigue attacks bombard users with push requests until they give up and grant access

These are only a few well-known examples, and there’s every reason to think that increased use of AI will make modern campaigns more devious, elaborate, and hard to detect. Whatever developers think up next, eliminating passwords as the foundational step of the user login process goes a long way toward stopping phishing and nuanced modern tactics.

The benefits of a passwordless MFA approach

Passwordless MFA strengthens authentication and identify verification through the simple, obvious act of taking the phish out of the sea. Without secret passwords for users to lose, leak, share, and tape to their computer monitor, it becomes more cost-effective for attackers, and bots, to just move on to the next guy.

Many of the latest cybersecurity mandates and frameworks, including federal Zero Trust requirements taking hold in the U.S. in 2024, specifically call for the adoption of “phishing-resistant MFA” to stop attacks. But passwordless MFA’s value doesn’t stop there.

A better, safer UX

When implemented without hardware tokens, smart cards, and more “things” to provision and track, passwordless MFA makes for a better front-end user experience — and a unified experience for all applications, portals, and services at any location. The Octopus platform includes cloud, web, legacy, and on-prem applications accessed locally or for remote work.

For most organizations, passwordless MFA also spells the end of resets and 40% of all calls to the Help Desk.

Less work for IT  

It should be clear by now that passwords are on the way out. Regulators, experts, cyber insurance companies, and leading IAM vendors all agree this will happen “eventually.”

Octopus lets it happen now by enabling IT to remove user passwords on the front end and tackle the work of rearchitecting identity infrastructures and directories on the backend when they’re ready. Customers tell us they can onboard new users in less than an hour, and roll out passwordless MFA to individual applications in hours or days versus weeks, months, and years with a “universal IAM” or other passwordless.

Highest-assurance compliance out of the gate

The Octopus platform extends NIST AAL3-compliant high-assurance authentication to organizations that get held or hold themselves, to the highest possible standards for verifying identity and proving it when necessary.

Don’t wait for AI to get smarter

The new year may just have started but in cyber risk terms, 2025 is right around the corner. Put time on the side of your defenders by checking out passwordless MFA – how easy it is and how fast it pays for itself – today.

Learn more, start now

Read more about Phishing Resistant Passwordless MFA in our 2 parts blog:

Part I: Passwordless Adds Phishing Resistance, But How You Get There Matters & Part II: A Practical Path to Passwordless Phishing Resistant MFA