Cyber Crime: AI Generated Phishing Attacks

For those outside the computing world, it feels as though AI (Artificial Intelligence) has suddenly appeared and having a huge impact on the rest of the world.  Artificial intelligence is intelligence demonstrated by computers, as opposed to human or animal intelligence.  'Intelligence' encompasses the ability to learn to reason, to generalise and to infer meaning. 

The new Data Protection Bill currently going through the reform process is expected to create the right balance of protections for the use of AI.  In March 2023, the UK Government announced a pro-innovation regulation of AI and data, where it flagged particular challenges for digital and emerging technology.  The report focuses on specific challenges for artificial intelligence and data as well as the regulatory barriers for autonomous vehicles, drones, cyber security and space and satellite technologies. Further discussion and detail about those Government recommendations can be read here: Allen & Overy: The UK's approach to AI Principles.

While the white paper was published a short while ago, there are reports that because technology is changing so fast that the paper is already out of date.

The IAPP reports that although the proposed data protection bill includes a section on automated decision making, the UK government is proposing a second set of rules and regulations for AI and machine learning.  Part of its national strategy on AI, the new AI proposals are meant to live alongside the data protection bill and involve regulators like Ofcom and the Competition and Markets Authority.  Full IAPP Article: UK unveils data reform bill, proposes AI regulation.

The ICO updated its guidance:  Guidance on AI and Data Protection.  A new standalone chapter has been added which contains high-level recommendations on the UK GDPRs  transparency principle as it applies to AI, including that, where data is collected directly from individuals, they must receive privacy information before data is used to train a model of application of the model on them.
There is also a new chapter on lawfulness in AI relating to influences, affinity groups and special category data.
There is a new chapter on fairness in AI.

Further reading about AI: The Alan Turing Institute: Common Regulatory Capacity for AI.

The Dark Side of AI

There is a dark side to the use of AI more recently reported in the use of sophisticated cyber attacks.  There is an application called WormGPT which allows hackers to launch sophisticated phishing and business email compromise attacks - it is a black hat alternative to GPT models, designed specifically for malicious activities.

Further information about WormGPT can be found: Hacker News: WormGPT New AI Tool.

How to protect against an AI Cyber Attack?

If your current cyber resilience is multi layered then this should help to prevent or mitigate an attack.  Use of the following is recommended:

• Multi factor authentication, review: {article title="A guide to multi-factor authentication"}[link][title][/link]{/article}.
• Phishing training for staff, review: DPE Phishing Simulations.
• Good password management training for staff, review: {article title="Passwords – simplifying the approach"}[link][title][/link]{/article}.  Training: Password Security.
• Good email hygiene, review: {article title="Email Etiquette and Security"}[link][title][/link]{/article}.
• If an email is suspicious then check directly with the source if you think they are pretending to be someone you know.  These new types of emails may not be so easy to spot, they are less likely to have spelling and grammatical errors and have the ability to learn about how you work.  Ensure that all business processes include an element of cyber security.  Review: {article title="Types of Cyber Attacks: Spear Phishing"}[link][title][/link]{/article}.  
• Embed cyber security as a core part of organisational risk management :NCSC Cyber Resilience.
• Use of technology to implement cyber resilience. Review: Information and Cyber Security Best Practice Library.
• Secure systems and access control.  Preventative security.
• Monitor Systems.

While we wait for Governments, laws and regulations to catch up with technology, we would recommend putting in place the best cyber resilience plan that you can afford to. Continually review your cyber strategy and your recovery plan to ensure your business continuity.  You can't afford not to!

Review: DPE Business Continuity Template.
Start by checking through our Information/Cyber Security Checklist.