While identity theft is far from a new concept, perpetrators who steal and impersonate another person's identity now have an expanded arsenal of tools at their disposal. Just as businesses have enhanced operations with the expansion of the internet and the introduction of artificial intelligence (AI), identity theft attackers have leveraged AI in diversifying and advancing their efforts.
According to Experian's 2022 Global Identity & Fraud Report, 70% of businesses reported growing concerns about fraud, and this number continues to rise as more business owners learn the dangers of identity fraud. AI-driven identity fraud attempts continue to increase, with bad actors using AI to craft fake identities, create convincing phishing content, and more to steal information and commit fraud. As attackers continue using generative AI for identity theft, business owners should know the prevalent attacks and learn how to fortify their company's security measures.
How can AI enhance identity theft attempts?
A deepfake is an image, audio, or video file that uses generative AI to convincingly impersonate a person's voice or other aspect of their likeness. While most instances of deepfakes involve a degree of humor due to their unbelievability, hackers have used AI-based technology to create and use deepfakes for malicious purposes. By using AI to manipulate a person's voice and appearance to fit their intentions, deepfakes provide a way for hackers to increase the plausible nature of their requests.
The first notable case of an AI-generated deepfake used in a large-scale identity theft occurred in March 2019. According to the Wall Street Journal, the attack's perpetrator created an audio clip impersonating a German company's CEO requesting a wire transfer to an offshore account. The attacker then called a UK employee and played the recording, persuading that employee to comply with the request and send $243,000 to the perpetrator's account.
While deepfakes are common in memes and other funny cases, they're not typically used in identity theft attempts. Brian Schlechter, MITS Technical Team Manager at Bit-Wizards, says these attacks require so much effort that they're usually geared toward high-profile companies that offer a practically guaranteed high price tag.
"With deepfakes being more of a complex effort, they usually target a particular person," Schlechter explains. "Most attempts that businesses see are more generic and do not go after a specific individual, let alone a specific company."
Phishing emails and text messages are nothing new, but attackers have used AI to make their attacks more difficult to detect on a larger scale. Jason Monroe, Director of Solution Consulting at Bit-Wizards, says AI can increase a hacker's pre-hack intelligence by condensing the time and effort needed to execute attacks.
"Hackers can ask AI to help them identify the CEOs for large companies, generate emails that impersonate them, and anything in between," says Monroe. "While most think it just helps with writing, AI can help bad actors conduct thorough research within seconds to make their attempts more convincing."
Because information about a company's employees and culture is often available online through websites or social media accounts, hackers can use that information to impersonate its staff and contact other employees with requests. Like voice-based deepfakes, text-based phishing helps a hacker impersonate another employee, a client, or a critical third-party agency to complete their requests, often leading to more significant consequences. By identifying employee contact information and summarizing a company's resources in a fraction of the time a person would take, AI can help hackers work faster and craft more believable attacks.
Like phishing attacks, identity theft perpetrators frequently use AI to create forged documents that convince victims to comply with fraudulent requests. Whether it's fake bank statements or medical bills, hackers can use generative AI to forge seemingly authentic files that increase the pressure of their demands. Once they have enough information from their victims, attackers can even create counterfeit identity documents that can trick identity verification systems. While many are convincing, Schlechter emphasizes that AI-generated files typically accompany and depend on a manufactured sense of urgency.
"While victims say hackers are making more realistic documents, they're not that realistic once you compare them to genuine examples," says Schlechter. "Because AI-generated documents have the characteristics that trigger a sense of legitimacy and urgency, you're more likely to believe them."
How can I defend against AI-fueled identity theft?
Even though hackers have used AI to commit more convincing identity theft and fraud, there are steps you can take to protect your company, employee, and customer information from bad actors. Here are 4 ways to fortify your security measures against AI-generated attacks.
Use AI to your advantage
Just as hackers can use AI for evil purposes, businesses can leverage AI to their advantage in protecting themselves. Although AI is steadily becoming more accessible for small- to medium-sized businesses to incorporate in their cybersecurity efforts, larger companies that offer services are well ahead of the curve in using AI for data analysis and threat detection. Monroe shares that some companies even provide AI detection tools to help detect AI-generated content.
"Once you upload any suspected AI-created copy, these programs can analyze them for indicators and tell you if it's likely AI-generated content," Monroe says. "While it's not a guaranteed protective measure, it's an option for businesses to identify suspicious content and potentially avoid an attack."
Strengthen password security
If a hacker successfully commits identity theft and accesses someone's credentials, the consequences could exponentially increase if that person uses poor password practices. If a perpetrator obtains a password you've used repeatedly, they can use credential stuffing to access more of your accounts and cause significantly more damage.
To avoid the likelihood of a bad actor accessing multiple accounts and wreaking further havoc, you can:
- Use a password manager
- Require complex passwords
- Change passwords regularly
- Use multi-factor authentication (MFA)
Monitor for signs of identity theft
Just like traditional attacks, AI-fueled identity theft and fraud emit the same signals once they're successful. Since your protections may not be enough to stop all attempts, you should regularly monitor for classic indicators like:
- Unusual credit card transactions
- Errors on your business credit report
- Unusual written requests from coworkers
- Bills for items or services you did not buy
- Missing or stopped mail or email
- Calls from debt collection agencies
- Random notifications of changed log-in credentials
Inform and educate your employees
Employee awareness and training are vital in preventing identity theft and strengthening your company's overall cybersecurity measures. Because so many phishing attempts and other cyberattack trends take advantage of the human element for success, educating your employees is critical to protect them and your company.
Relevant training may include:
- Assessing potential phishing attempts
- Looking for signs of identity theft
- Reviewing real-world examples
- Avoiding common security failures
Another way to help your employees recognize AI-generated content is by exposing them to it. Schlechter says that, after some practice, people can identify common signs that indicate a piece of content was not written by a real person.
"ChatGPT is just like an everyday writer-- while it's a lot faster than people, it has a certain style that you can begin to recognize after viewing several pieces," explains Schlechter. "The more your employees see AI-generated content, the more likely they can learn to recognize it going forward."
In addition to these lessons, Monroe emphasizes the importance of business owners teaching employees to have a healthy suspicion when evaluating potential signs of identity theft attempts and successes.
"If you get a text from an unknown number claiming to be your boss and telling you to buy a bunch of Apple gift cards with your company card, you should be immediately suspicious," says Monroe. "People need to be more wary of out-of-the-blue requests and be confident enough to verify odd requests from others."
How Bit-Wizards can help
For businesses that need a security boost against identity theft and other cyberattacks, Bit-Wizards is here to help. Our Managed IT Services (MITS) team offers a comprehensive approach to security so you can focus on your business and your employees. While hackers work hard, we work harder to protect your information and enable your business to be more adaptable, efficient, and resilient.
Ready to strengthen your company's IT and cybersecurity? Contact us today.