With GenAI-powered phishing threats, it’s time to rethink cybersecurity training

By Shannon Murphy, Global Risk and Security, Strategist, Trend Micro

Driven by a growing digital economy and rapid digital penetration, cybercriminals are going on phishing trips in Southeast Asia with increasing frequency. A recent report found that the region experienced a 48% increase in phishing URLs in 2023 alone. In Singapore, phishing attempts more than doubled between 2021 and 2022, making it the fourth most common scam in the city-state.

Beyond the sheer volume of attacks, the sophistication of phishing techniques is also advancing. Historically, cybercriminals employed broad-spectrum phishing, mass-sending generic emails or texts to gather sensitive information, and spear-phishing, which used detailed personal information from social media to craft highly specific messages targeting high-value individuals or organisations.

As such, traditional phishing awareness training focused on spotting suspicious emails and language quirks – and was fairly effective. However, GenAI has transformed the face of phishing by generating realistic, context-aware messages that mimic legitimate communications in language, style, and tone. AI-powered tools can even break language barriers, allowing cybercriminals to target a global audience with accurate translations that incorporate cultural nuances. Consequently, traditional training is no longer sufficient against GenAI’s capabilities.

Countering AI-Assisted Phishing Begins with the Zero Trust Framework

Defending against deception-driven attacks is not solely a technological battle; it is equally a human challenge, necessitating a combination of adjustments across people, process, and technology to fortify organisations against emerging threats.

It starts with adopting a Zero Trust — or ‘never trust, always verify’ — philosophy and building a security culture. Organisations should always verify identities, and allow only necessary people and machines to access sensitive information or processes for defined purposes at specific times. This limits the attack surface and slows attackers down. AI-driven detection tools, such as writing style analysis, computer vision, can further help protect the enterprise and support employees in identifying malicious content and behaviour more efficiently. Beyond technological defences, organisations should implement processes such as multi-stakeholder approval for significant transactions and establish a ‘safe list’ of numbers for live voice authorisation calls, rather than relying on a phone number embedded within a transfer request email. These measures can prevent attacks, even as cybercriminals increasingly use convincing voice deepfakes. Coded language could even be used for additional authentication.

At the same time, cybersecurity awareness training also needs to evolve accordingly — rather than focusing solely on identifying suspicious or malicious emails, it should educate employees on when and how to execute the above processes to prevent successful phishing attempts. These sessions should include simulations of phishing attacks to provide practical experience in identifying potentially suspicious situations — not just emails — and executing the related verification processes.

Most importantly, cybersecurity training should not be a one-time event but an ongoing process with content that is regularly refreshed and updated with the latest phishing techniques, which are constantly evolving with advancements in AI.

Staying Ahead of Cybercriminals with a Unified Approach

However, as the digital attack surface continues to expand through digital and AI transformation, cyber threats like phishing attacks will continue to become increasingly sophisticated and well-coordinated. This growing complexity is even more concerning due to the persistent talent and resource gap that organisations face in keeping up with the rapidly evolving threat landscape.

More than ever, businesses need to adopt a proactive posture towards cybersecurity. This involves moving away from traditional approaches of security — which is to apply uniform security measures across all known systems — and adopting a risk-based approach, which includes continuous asset discovery and assessment to focus on prioritising and building the appropriate controls for the most critical vulnerabilities.

A unified cybersecurity platform helps empower businesses by providing comprehensive visibility and centralised risk management, enabling quick detection and response to anomalies. This combination allows businesses to identify the most at-risk assets and potential intrusions, preventing and mitigating threats before they cause significant harm.

Ultimately, there isn’t one single way of combatting security threats — the most effective approach is one that combines all of the above. By equipping employees with better, smarter tools and a comprehensive understanding of security practices, businesses can more effectively combat cyber threats and protect their digital assets and brand.

For more information please contact, [email protected]