Jake Moore: Phishing attacks hit next next-level

Podcast Ep 233: Jake Moore, one of Europe’s leading data security experts, says hackers are using AI to devastating effect against businesses.

The way that Moore, global cybersecurity advisor at antivirus giant ESET, describes it, it feels like we’ve wandered into a plot of a dystopian sci-fi novel. Cyberattacks on businesses all over the world from hackers using AI tools from text and imaging creation tools to audio and video generation are now next-level.

Imagine an unsuspecting worker getting a voice message from their boss telling them to transfer a large sum of money to a bank account. The voice sounds real. Accurately real. But it isn’t. It’s a form of deep fake technology where hackers have taken a sample of the CEO’s voice, possibly from a voice message or video call, and used advanced technology to create a convincing voice message. The technology can also create realistic video messages.

This isn’t in the future. This is now.

Moore, who was speaking with ThinkBusiness ahead of the annual IRISSCON 2024 conference on 6 November, warns that Irish businesses are vulnerable and need to be wary of cybercriminals lying in wait.

The era of next-level AI-powered phishing is here

Moore previously spent 14 years pursuing cybercriminals in the UK police force, and said that attackers are willing to spend over 200 days in an organisation’s network, unnoticed, before launching any sort of attack.

In a recent article he demonstrated that once a hacker has breached an organisation’s network through unprotected endpoints like a mobile phone, a laptop or some internet of things device, it takes one minute and 84 seconds on average to penetrate deeper into the network.

“That is not a lot of time for any network security to react, and, once the harm is done, it takes 73 days, on average, to contain the breach. So, the objective is to prevent the network access in the first place,” he wadvised.

Ransomware and phishing attacks remain top threats, according to the ESET software developers.

Cybercriminals use AI algorithms to analyse vast amounts of their target segments’ data. They look at social media profiles, online behaviour, recent purchases and other publicly available information to create very personalised phishing and social engineering attacks.

Moore says we are now in the era of next-level phishing.

“We’ve gone through all the different types of phishing. We’ve seen smishing with text messages and voice phishing, vishing, and now I think we are moving into incorporating AI and machine learning – fantastic software that is so impressive – and people still, even if they know about it, don’t necessarily believe it.

“They don’t think that they would be duped into, say, falling for something like a cloned voice, that they don’t think it’ll happen to them. Funnily enough, that’s the same thing as how most cyberattacks work. When there is someone involved, they don’t think they are susceptible to those attacks.

“They genuinely are more sophisticated now, and being able to use that technology with a very targeted approach; they are really doing their homework on a company, and particularly small and medium sized businesses where they tend not to have the same security teams or the level of resources, they can really hone in and target those individuals that they’ve done their homework on.

“So, for example, targeting the CEO to get their voice. If that person creates videos, and you know, 2024 we are told to create more content and publish it everywhere, so it I seasy to get hold of, and then to target, say, the CFO of a business, even if they’ve got procedures in place that says ‘Do not send money unless they are on an internal spreadsheet’, for example, they still can be duped to cut those corners. Because they are being manipulated.

“And let’s face it, I think a lot of people, in fact, probably most people would be fooled by that. And in fact, I have tested this so anecdotally. I know it works, and that’s in one of my talks that I prove how you really can steal a voice and then steal money.”

The terrifying reality isn’t just the technology, it’s the industry-scale efforts hacker gangs are going to.

These aren’t just covert, hackers operating from a bedroom. They have entire offices and call centres, entire business models, dedicated to taking money from individuals and businesses.

“They are putting a lot of effort and time and money into scamming people around the world. They are using open source intelligence tools that can learn about their victims before-hand and get them hooked. It’s pretty impressive. Law enforcement can’t always find out where they are or the full size of these organisations. But if you look at the numbers of people being hit you can assume that yes, it is growing and the fact that there are so many free tools on the dark web, younger people are learning these methods and crossing the lines into illegality.

“There is little that law enforcement can do except go down the educational route because there are very few pieces of software that can pinpoint if AI is cloning voices or video calls. So there’s little or nothing that can be done about that now except education and awareness.

“It all comes back to training within companies, whatever size, to continually upskill and make people aware.”

• Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here

• Listen to the ThinkBusiness Podcast for business insights and inspiration. All episodes are here. You can also listen to the Podcast on:

• Spotify

• SoundCloud

• Apple