Social engineering is a tactic used to exploit individuals by deceitful or coercive measures for the purpose of gaining access to personal or sensitive information. Traditional social engineering methods include phishing or smishing. However, with the advent of AI tools and technology, the ability to conduct more sophisticated and less obvious attacks is becoming increasingly easier. Such advancements in AI provide scammers with multiple avenues that they can exploit. The ease of conducting such scams increases the risk to an individual or organisation, evidencing growing vulnerabilities in the online world.
Social engineering techniques play on human interactions, using some form of communication to lure and deceive people into a situation where they inadvertently expose sensitive information. This is often done by allowing the scammers to access secure areas, thus compromising the safety of an individual or an organisation. Bad actors rely on human emotion; they may exploit your trust, posing as your bank, or manipulate your desires, to entice you into following a link. More commonly though, they play on fear, presenting a scenario where you feel at risk, when you are most likely to make decisions in haste without properly assessing the potential risks.
The effectiveness of social engineering lies in its simplicity and ease of execution. Weaknesses can be harvested by simply examining someone’s or an organisation’s digital footprint to extract meaningful information that can be used to deceive an individual, whilst the perpetrator poses as a legitimate entity.
Phishing, smishing and vishing
There are numerous types of social engineering; however, the most observed is phishing, the umbrella term given to a cyber-attack where bad actors use communication in any form to conduct their fraudulent activities. This could be in an email, where the perpetrators mimic legitimate emails to dupe individuals into sharing details such as their banking information or passwords, or can include a link to a fraudulent website or malicious downloads to infiltrate devices. Another common method of phishing sees the bad actor use text message communication to support their activities, the act of which has been coined smishing. Smishing efforts see attacks mimic messages from a bank or a postal delivery service to attempt to deceive their victims into sharing sensitive information. Similarly, a bad actor could attempt to do this via a phone call or voicemail, otherwise known as vishing.
Generative AI is assisting bad actors in making such scams more commonplace, with social engineering activities becoming more efficient and sophisticated. The use of emerging AI technologies allows criminals to enhance their scams. Phishing scams can be automated, using AI to mimic tone and language to write convincing messages. Cloning technology can be used to copycat someone’s voice, producing realistic audio for phone calls or voicemails. Stories of such have ballooned recently, for example, reports of parents who have received phone calls from family members allegedly being held at ransom, when in fact, the audio has been artificially created. In more sophisticated cases, AI can be used to meld numerous techniques to execute a realistic scenario. As was the case in February 2024, when it was reported that an advanced scam saw an employee at a professional services firm transfer HK$200 million (£20 million) to scammers. The victim was initially sceptical having received an invitation to join a video conference. However, upon joining the meeting, which included 15 senior employees at the firm, the employee fell victim to the scam. In reality, the only real person in the meeting was the victim – the 15 additional employees had their identities poached, with AI-generated deepfake technology used to replicate audio and video of each of them.
Data collection and analysis
Generative AI isn’t just used to create content. It can also be used to collect, store and process large amounts of data. This is especially beneficial to bad actors who infiltrate systems to collect data on an organisation. Sifting through copious amounts of data can be a time-consuming task, but AI can easily and efficiently analyse data to extract the information most beneficial to them. Additionally, scammers can exploit AI to create complex types of malware, potentially capable of evading detection or manipulate it to bypass safeguarding settings.
Recently, in August 2024, media outlet, Wired, reported on the weaknesses in Microsoft’s Copilot AI system. Researcher Michael Bargury found it could be manipulated to gain access to and information from emails, Teams chats and files. It involves using Copilot to automatically generate and send phishing emails that mimic a user’s writing style and language. It does this by using Copilot to see who you are frequently in communication with, and drafting a convincing email copying the tone and language used in your emails, which can then be distributed among your network. Microsoft has since acknowledged the weaknesses and emphasised the need for robust security measures to mitigate opportunities to abuse AI technology.
Minimising the risks
Whilst generative AI tools such as Copilot and ChatGPT have implemented safeguards to mitigate malicious use of their software, with a combination of know-how and trial and error, these safeguards can often be circumvented. Furthermore, AI tools such as FraudGPT and WormGPT have surfaced to support criminal activities. These uncensored ‘dark LLMs’ have been created to enhance social engineering, optimised for creating sophisticated phishing campaigns, malware and scam content.
While traditional methods of social engineering, like phishing scams, remain common, with the use of AI-driven tools, scammers are capable of creating ever more convincing and complex scams. This is enhanced by the ease of producing content such as authentically appearing emails, audio and video alongside malware. These developments highlight the growing vulnerabilities we face as individuals and organisations in tandem with the growing use and rapid progression of AI tools. As AI technology continues to evolve, it has never been more pressing to maintain robust digital health and prioritise and implement necessary security measures to minimise the risks posed by AI-driven social engineering.
Privacy Policy.
Revoke consent.
© Digitalis Media Ltd. Privacy Policy.
Digitalis
We firmly believe that the internet should be available and accessible to anyone, and are committed to providing a website that is accessible to the widest possible audience, regardless of circumstance and ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA level. These guidelines explain how to make web content accessible to people with a wide array of disabilities. Complying with those guidelines helps us ensure that the website is accessible to all people: blind people, people with motor impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website’s UI (user interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. This application remediates the website’s HTML, adapts Its functionality and behavior for screen-readers used by the blind users, and for keyboard functions used by individuals with motor impairments.
If you’ve found a malfunction or have ideas for improvement, we’ll be happy to hear from you. You can reach out to the website’s operators by using the following email webrequests@digitalis.com
Our website implements the ARIA attributes (Accessible Rich Internet Applications) technique, alongside various different behavioral changes, to ensure blind users visiting with screen-readers are able to read, comprehend, and enjoy the website’s functions. As soon as a user with a screen-reader enters your site, they immediately receive a prompt to enter the Screen-Reader Profile so they can browse and operate your site effectively. Here’s how our website covers some of the most important screen-reader requirements, alongside console screenshots of code examples:
Screen-reader optimization: we run a background process that learns the website’s components from top to bottom, to ensure ongoing compliance even when updating the website. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. For example, we provide accurate form labels; descriptions for actionable icons (social media icons, search icons, cart icons, etc.); validation guidance for form inputs; element roles such as buttons, menus, modal dialogues (popups), and others. Additionally, the background process scans all of the website’s images and provides an accurate and meaningful image-object-recognition-based description as an ALT (alternate text) tag for images that are not described. It will also extract texts that are embedded within the image, using an OCR (optical character recognition) technology. To turn on screen-reader adjustments at any time, users need only to press the Alt+1 keyboard combination. Screen-reader users also get automatic announcements to turn the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with all popular screen readers, including JAWS and NVDA.
Keyboard navigation optimization: The background process also adjusts the website’s HTML, and adds various behaviors using JavaScript code to make the website operable by the keyboard. This includes the ability to navigate the website using the Tab and Shift+Tab keys, operate dropdowns with the arrow keys, close them with Esc, trigger buttons and links using the Enter key, navigate between radio and checkbox elements using the arrow keys, and fill them in with the Spacebar or Enter key.Additionally, keyboard users will find quick-navigation and content-skip menus, available at any time by clicking Alt+1, or as the first elements of the site while navigating with the keyboard. The background process also handles triggered popups by moving the keyboard focus towards them as soon as they appear, and not allow the focus drift outside of it.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
We aim to support the widest array of browsers and assistive technologies as possible, so our users can choose the best fitting tools for them, with as few limitations as possible. Therefore, we have worked very hard to be able to support all major systems that comprise over 95% of the user market share including Google Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS and NVDA (screen readers), both for Windows and for MAC users.
Despite our very best efforts to allow anybody to adjust the website to their needs, there may still be pages or sections that are not fully accessible, are in the process of becoming accessible, or are lacking an adequate technological solution to make them accessible. Still, we are continually improving our accessibility, adding, updating and improving its options and features, and developing and adopting new technologies. All this is meant to reach the optimal level of accessibility, following technological advancements. For any assistance, please reach out to webrequests@digitalis.com