Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

AI-powered social engineering attacks are significantly more successful than traditional attacks, according to a new report from cyber risk management firm Resilience. The researchers state, “Social engineering attacks fueled 88% of material losses, with AI-powered phishing achieving a 54% success rate compared to just 12% for traditional attempts.” AI allows attackers to easily craft sophisticated phishing emails, as well as voice and video deepfakes.

The FBI and the American Bankers Association (ABA) have issued a joint advisory warning of the growing threat posed by AI-generated deepfake scams. “Criminals may pose as loved ones, government officials, law enforcement personnel, or even celebrities, often using fear and urgency to convince victims to send money or share sensitive information,” the advisory says.

Attackers are abusing iCloud Calendar invites to send phishing messages that pose as PayPal notifications, BleepingComputer reports. Since the messages are sent from Apple’s infrastructure, they’re more likely to bypass security filters. BleepingComputer explains, “This email is actually an iCloud Calendar invite, where the threat actor included the phishing text within the Notes field and then invited a Microsoft 365 email address that they controlled.

In essence, that is the disclosure and notification message that the open-source developer "qix" sent to the world when he was social engineered to give up access credentials to his GitHub account. Using his account, the attackers inserted malware in a series of popular NPM packages to direct cryptocurrency payments to their own wallets.

The use of “shadow AI” is an increasing security risk within organizations, according to a new report from Netskope. Shadow AI is a newer variant of shadow IT, in which employees use unauthorized technology without the knowledge of the IT department. This is generally driven by a desire for increased productivity rather than malicious motives, but employees are often unaware of the risks introduced by unauthorized tools.

Researchers at Stripe warn of a wave of spear phishing attacks targeting C-suite employees and senior leadership across a wide range of industries. The emails pose as OneDrive document-sharing notifications with subject lines like “Salary amendment” or “FIN_SALARY.” If a user clicks the link, they’ll be taken to a spoofed Microsoft Office/OneDrive login page designed to steal their credentials.

I occasionally get human risk management (HRM) administrators asking me to help them with ideas of “contests” to better educate their end-users. They have usually done the traditional recommendations, which means at least monthly-to-weekly security awareness training (SAT) and simulated phishing. They are working to educate their end-users about social engineering and phishing attacks as best as they can without being overly annoying.

The State of California’s Franchise Tax Board (FTB) has warned of an ongoing SMS phishing (smishing) campaign targeting residents, Malwarebytes reports. The FTB stated, “These text messages contain a link to a fraudulent version of certain FTB web pages, which are designed to steal personal and banking information.