The rise of adversarial AI threatens smaller organizations

Email remains a vital channel for business communications, but the availability of easy-to-use AI tools makes protecting the inbox a challenge as it's easier than ever for cybercriminals to launch sophisticated attacks.

A new report from Abnormal Security charts the rise of adversarial AI which has seen a 54 percent year-on-year rise in business email compromise attacks.

Vendor email compromise is up too, during any given week in 2024, organizations had, on average, a 70 percent chance of receiving at least one VEC attack -- an increase of more than 10 percent from 2023.

Phishing remains the most common attack type, accounting for more than 76 percent of all advanced attacks. Traditional defenses aren’t keeping up though. Both employee security awareness training and legacy email security solutions rely heavily on known indicators of compromise to detect phishing attempts but AI has made it much easier for attackers to create convincing looking emails.

Mike Britton, CISO at Abnormal Security, says, "Gone are the days of poorly put together emails with misspellings and grammar errors and things like that. You can throw something sloppy into ChatGPT and ask it to clean it up and make it very professional and engaging, it'll do that 10 seconds, cut and paste back into an email and off you go."

BEC attacks are a particular issue for smaller organizations. While enterprises of all sizes experienced an increased likelihood of BEC attacks over the past year, organizations with 1,000 inboxes or fewer saw the largest jump. On any given week in 2024, these smaller companies faced more than a 70 percent chance of receiving at least one BEC attack -- up 14 percent from 2023.

"There's a disproportionate impact on smaller businesses," says Britton. "The JP Morgans of the world, the Microsofts and companies like that, spend millions and millions, if not billions, on security. They have all of the tools. They have armies of teams to look after this stuff. They're still impacted by it as well, but they have constant eyes on it. Now, when you get down into smaller organizations, maybe they have a single person that is the IT and security person. Maybe they don't even have that. Maybe they use an outsource, you know, a part time person that comes and helps them. Attackers know that an SMB or a nonprofit or a school, is going to be a much easier target for them to go after. And so they spend a lot of time there because it's a higher ROI."

You can read more and get the full report on the Abnormal blog.

Image credit: sdecoret/depositphotos.com