While identity theft is far from a new concept, perpetrators who steal and impersonate another person's identity now have an expanded arsenal of tools at their disposal. Just as businesses have enhanced operations with the expansion of the internet and the introduction of artificial intelligence (AI), identity theft attackers have increasingly leveraged generative AI to diversify and advance their efforts.
According to Experian's 2024 Global Identity & Fraud Report, 70% of businesses have growing concerns about the challenge of combating AI fraud, and this number continues to rise. Bad actors use AI to craft fake identities, create convincing phishing content, and more to steal information and commit fraud. As attackers continue using generative AI for identity theft, business owners should know the prevalent attacks and learn how to fortify their company's security measures.
How can AI enhance identity theft attempts?
Deepfakes
A deepfake is an image, audio, or video that uses AI to impersonate a person's voice or other aspect of their likeness. While most instances of deepfakes involve some humor because they're unconvincing, hackers use AI-based technology to create and use deepfakes for malicious purposes. By manipulating a person's voice and appearance, deepfakes provide a way to make fake requests more credible.
The first notable case of an AI-generated deepfake used in a large-scale identity theft occurred in 2019. According to the Wall Street Journal, the attacker created an audio clip impersonating a German CEO requesting a wire transfer to an offshore account. The attacker then called a UK-based employee and played the recording, persuading them to comply with the request and send $243,000 to the perpetrator's account.
While deepfakes are common in memes and other funny cases, they're not typically used in identity theft attempts on everyday people and businesses. Brian Schlechter, Director of IT at Bit-Wizards, says these attacks require so much effort that they're usually geared toward executives at high-profile companies that offer a practically guaranteed high price tag.
"With deepfakes being more of a complex effort, they usually target a particular person," Schlechter explains. "Most AI and non-AI identity theft attempts that businesses see are more generic and do not go after a specific individual, let alone a specific company."
Text-based phishing
Phishing emails and text messages are nothing new, but attackers have used AI to make their attacks more dangerous and difficult to detect on a larger scale. Jason Monroe, Solution Consultant at Bit-Wizards, says AI can increase a hacker's pre-hack intelligence by condensing the time and effort typically needed to execute attacks.
"Hackers can ask AI to help them identify the CEOs of large companies, generate emails that impersonate them, and do anything in between," says Monroe. "While most think it just helps with writing, AI can help them conduct thorough research within seconds to make their attempts more convincing."
Employee information is often available online through websites or social media accounts, so hackers use that information to impersonate them. Text-based phishing works similarly to deepfakes in that it helps hackers successfully impersonate employees, clients, and third-party agencies, leading to more significant consequences.
Forged documents
Bad actors frequently use generative AI to forge documents like bank statements or medical bills that convince victims to comply with fraudulent, high-pressure requests. Once they have enough information from their victims, attackers can even create counterfeit IDs to trick identity verification systems. While they can be convincing, Schlechter emphasizes that AI-generated files typically depend on false urgency.
"While victims say hackers are making more realistic documents, they're not that realistic once you compare them to genuine examples," says Schlechter. "Because AI-generated documents have the characteristics that trigger a sense of legitimacy and urgency, you're more likely to believe them."
How can I defend against AI-fueled identity theft?
Even though hackers have used AI to commit more convincing identity theft and fraud, there are steps you can take to protect your company, employee, and customer information from bad actors. Here are 4 ways to fortify your security measures against AI-generated attacks.
1. Use AI to your advantage
Just as hackers can use AI for evil purposes, businesses can use it to their advantage in fighting AI and identity theft. Although AI is steadily becoming more accessible for small- to medium-sized businesses to incorporate in their cybersecurity efforts, larger companies are well ahead of the curve in using AI for data analysis and threat detection. Monroe shares that AI detection tools can help detect AI-generated content.
"Once you upload any suspected AI-created copy, these programs can analyze them for indicators and tell you if it's likely AI-generated content," Monroe says. "While it's not a guaranteed protective measure, it's an option for businesses to identify suspicious content and potentially avoid an attack."
2. Strengthen password security
If a hacker successfully commits identity theft and accesses someone's credentials, the consequences could exponentially increase if that person uses poor password practices. If a perpetrator obtains a password you've used repeatedly, they can use credential stuffing to access more of your accounts and cause significantly more damage.
To avoid the likelihood of a bad actor accessing multiple accounts and wreaking further havoc, you can:
- Use a password manager
- Require complex passwords
- Change passwords regularly
- Use multi-factor authentication (MFA)
3. Monitor for signs of identity theft
Just like traditional attacks, AI-fueled identity theft and fraud emit the same signals once they're successful. Since your protections may not be enough to stop all attempts, you should regularly monitor for classic indicators like:
- Unusual credit card transactions
- Errors on your business credit report
- Unusual written requests from coworkers
- Bills for items or services you did not buy
- Missing or stopped mail or email
- Calls from debt collection agencies
- Random notifications of changed log-in credentials
4. Inform and educate your employees
Employee awareness and training are vital in preventing identity theft and strengthening your company's overall cybersecurity measures. Because so many phishing attempts and other cyberattack trends take advantage of the human element for success, educating your employees is critical to protect them and your company.
Relevant training may include:
- Assessing potential phishing attempts
- Looking for signs of identity theft
- Reviewing real-world examples
- Avoiding common IT security failures
Another way to help your employees recognize AI-generated content is by exposing them to it. Schlechter says that, after some practice, people can better understand AI and identify common signs that indicate a piece of content was not written by a real person.
"ChatGPT is just like an everyday writer—while it's a lot faster than people, it has a certain style that you can begin to recognize after viewing several pieces," explains Schlechter. "The more your employees see AI-generated content, the more likely they can learn to recognize it going forward."
In addition to these lessons, Monroe emphasizes the importance of business owners teaching employees to have a healthy suspicion when evaluating potential signs of identity theft attempts and successes.
"If you get a text from an unknown number claiming to be your boss and telling you to buy a bunch of Apple gift cards with your company card, you should be immediately suspicious," says Monroe. "People need to be more wary of out-of-the-blue requests and be confident enough to verify odd requests from others."
Let Bit-Wizards boost your IT security
If your business needs a security boost against identity theft attempts and other major cyberattacks, Bit-Wizards is here to help. Our Managed IT Services (MITS) team offers a comprehensive approach to security so you can focus on your business and your employees. Hackers work hard, but we work harder to protect your information and enable your business to be more adaptable, efficient, and resilient.
Ready to strengthen your company's IT and cybersecurity? Contact us today.