Artificial intelligence (AI) is doing wonderful things for many businesses. It’s helping to automate repetitive tasks for efficiency and cost savings. It’s supercharging customer service and coding. And it’s helping to unearth insight to drive improved business decision-making. Way back in October 2023, Gartner estimated that 55% of organizations were in pilot or production mode with generative AI (GenAI). That figure will surely be higher today.

Yet criminal enterprises are also innovating with the technology, and that spells bad news for IT and business leaders everywhere. To tackle this mounting fraud threat, you need a layered response that focuses on people, process and technology.

What are the latest AI and deepfake threats?
Cybercriminals are harnessing the power of AI and deepfakes in several ways. They include:

• Fake employees: Hundreds of companies have reportedly been infiltrated by North Koreans posing as remote working IT freelancers. They use AI tools to compile fake resumes and forged documents, including AI-manipulated images, in order to pass background checks. The end goal is to earn money to send back to the North Korean regime as well as data theft, espionage and even ransomware.
• A new breed of BEC scams: Deepfake audio and video clips are being used to amplify business email compromise (BEC)-type fraud where finance workers are tricked into transferring corporate funds to accounts under control of the scammer. In one recent infamous case, a finance worker was persuaded to transfer $25 million to fraudsters who leveraged deepfakes to pose as the company’s CFO and other members of staff in a video conference call. This is by no means new, however – as far back as 2019, a UK energy executive was tricked into wiring £200,000 to scammers after speaking to a deepfake version of his boss on the phone.
• Authentication bypass: Deepfakes are also being used to help fraudsters impersonate legitimate customers, create new personas and bypass authentication checks for account creation and log-ins. One particularly sophisticated piece of malware, GoldPickaxe, is designed to harvest facial recognition data, which is then used to create deepfake videos. According to one report, 13.5% of all global digital account openings were suspected of fraudulent activity last year.
• Deepfake scams: Cybercriminals can also use deepfakes in less targeted ways, such as impersonating company CEOs and other high-profile figures on social media, to further investment and other scams. As ESET’s Jake Moore has demonstrated, theoretically any corporate leader could be victimized in the same way. On a similar note, as ESET’s latest Threat Report describes, cybercriminals are leveraging deepfakes and company-branded social media posts to lure victims as part of a new type of investment fraud called Nomani.
• Password cracking: AI algorithms can be set to work cracking the passwords of customers and employees, enabling data theft, ransomware and mass identity fraud. One such example, PassGAN, can reportedly crack passwords in less than half a minute.
• Document forgeries: AI-generated or altered documents are another way to bypass know your customer (KYC) checks at banks and other companies. They can also be used for insurance fraud. Nearly all (94%) claims handlers suspect at least 5% of claims are being manipulated with AI, especially lower value claims.
• Phishing and reconnaissance: The UK’s National Cyber Security Centre (NCSC) has warned of the uplift cybercriminals are getting from generative and other AI types. It claimed in early 2024 that the technology will “almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years.” It will have a particularly high impact on improving the effectiveness of social engineering and reconnaissance of targets. This will fuel ransomware and data theft, as well as wide-ranging phishing attacks on customers.

What’s the impact of AI threats?
The impact of AI-enabled fraud is ultimately financial and reputational damage of varying degrees. One report estimates that 38% of revenue lost to fraud over the past year was due to AI-driven fraud. Consider how:

• KYC bypass allows fraudsters to run up credit and drain legitimate customer accounts of funds.
• Fake employees could steal sensitive IP and regulated customer information, creating financial, reputational and compliance headaches.
• BEC scams can generate huge one-off losses. The category earned cybercriminals over $2.9 billion in 2023 alone.
• Impersonation scams threaten customer loyalty. A third of customers say they’ll walk away from a brand they love after just one bad experience.

Pushing back against AI-enabled fraud
Fighting this surge in AI-enabled fraud requires a multi-layered response, focusing on people, process and technology. This should include:

• Frequent fraud risk assessments
• An updating of anti-fraud policies to make them AI-relevant
• Comprehensive training and awareness programs for staff (e.g., in how to spot phishingand deepfakes)
• Education and awareness programs for customers
• Switching on multifactor authentication (MFA) for all sensitive corporate accounts and customers
• Improved background checks for employees, such as scanning resumes for career inconsistencies
• Ensure all employees are interviewed on video before hiring
• Improve collaboration between HR and cybersecurity teams

AI tech can also be used in this fight, for example:

• AI-powered tools to detect deepfakes (e.g., in KYC checks).
• Machine learning algorithms to detect patterns of suspicious behavior in staff and customer data.
• GenAI to generate synthetic data, with which new fraud models can be developed, tested and trained.

As the battle between malicious and benevolent AI enters an intense new phase, organizations must update their cybersecurity and anti-fraud policies to ensure they keep pace with the evolving threat landscape. With so much at stake, failure to do so might impact long-term customer loyalty, brand value and even derail important digital transformation initiatives.

AI has the potential to change the game for our adversaries. But it can also do so for corporate security and risk teams.

The post AI reshaping the fraud landscape and creating new risks appeared first on My Startup World - Everything About the World of Startups!.

The notion of having our identity stolen and used maliciously is a concern that anyone – in UAE or anywhere else in the world – should have in our society today. The vulnerability, the unknowing, and the anxiety around who and why someone would do this, and what they may use it for, is very real. This is bad enough in our personal lives, but when that identity includes administrative credentials to the core cyber resilience solution of a national government organisation, or global multi-national business the impact can be even more devastating.

In both the corporate and public sector, malicious credential theft is on the rise, fueling a huge increase in incidents via compromising privilege escalations.  According to a 2024 IBM report, attacks leveraging valid credentials surged by a staggering 71% year-over-year last year, with other reports suggesting credential theft accounts for 49% of cyber security incidents across the country.

While the UAE is leading the charge on integrated legislative and protection policies, like the Cyber Pulse Initiative to enhance public awareness of suspicious online activities and the best possible mitigation steps, due to their extensive access to sensitive commercial, personal, and competitive organisational datasets, system administrators are being targeted even more specifically than ever before.

Cybercriminals are simultaneously designing more complex attacks to gain their credentials and launching them even more effectively with the help of AI-driven processes. Whether it’s GenAI-generated phishing schemes, using video deepfakes, or taking advantage of other new-fangled ways of impersonation, stealing or just plain convincing employees to unwittingly hand over credentials has become a favoured approach whether targeting the entire spectrum of a workforce from C-level executives, to end users, or system admins.

A Fundamental Shift
This alarming trend underscores the urgent need for heightened vigilance and specialised security measures. The rise of advanced session hijacking techniques means relying solely on enterprise-wide Single Sign-On (SSO) solutions is no longer enough. Organisations must fortify their data protection infrastructure with dedicated security controls such as Multi-Factor Authentication (MFA), Multi-Person Authorisation (MPA), Privileged Access Management (PAM), and other robust defences. Safeguarding against credential theft is paramount in defending your organisation’s most precious asset: its data.

A few years ago, concepts like immutability, anomaly detection, and malware scanning were key focal points in hardening data protection defences. These are now considered to be fundamental. These capabilities have forced threat actors to shift more towards going after “soft targets” by taking advantage of phishing, social engineering, MFA fatigue, and other credential-based attacks to log in, not break in, to your infrastructure.

Defence plans must adapt to keep up with the rapidly accelerating threat landscape. While Veritas research showed that the average UAE company hired between 14-16 new staff members across their data protection and data security teams last year, we are seeing a critical point of change with how these expanded teams can continue to effectively safeguard the exponential growth in the value, volume, and vulnerability of corporate data. The wider this gap becomes, the higher the likelihood of a major security breach, lengthy downtime, and/or data privacy compliance risks. 

Strengthening Cyber Resilience with New AI-Powered Solutions
Veritas has introduced the industry’s first self-defending data protection solution – an innovative and automated defence against user behaviour-based ransomware attacks. Veritas NetBackup and Veritas Alta Data Protection now actively and continuously monitor admin user behaviour and adjust defences such as multi-factor authentication and multi-person authorisation challenges dynamically when anomalies in administrative behaviours are detected. This adaptive, self-learning, self-defence solution is a first for enterprise data protection.

Adaptive, self-learning defence solutions are now a critical part of enterprise data protection and must be adopted to have any chance of maintaining corporate compliance while avoiding devastating reputational damage to any organisation of a major data breach.

Entropy Anomaly Detection
Another critical aspect of this process is time series data anomaly detection. In basic forms, this has been available in the market for quite some time. This technique establishes stable baselines by analysing patterns from backups over multiple weeks, while continuously learning granular data characteristics unique to the protected asset changes. This learning strategy is agnostic to any ransomware type and is referred to as zero-shot learning.

What’s new is the significant improvements to the scale and capability of how this is done. Our solutions allow individuals to detect anomalies online as backups occur, with near-zero impact on performance while at the same time eliminating the need for additional resources or incurring expensive cloud computing costs associated with post-hoc analysis.

This patent-pending innovation helps reduce the time to find and flag potential anomalies for further investigation – particularly important in limiting the potential scope of impact of any breach.

With the rise in ransomware and cyber-attacks means all organisations, across UAE and worldwide, must view being targeted not as an ‘if’ but as a ‘when’.  Whatever level of investment in additional staff and training, these tools must also be considered a necessity for any operational resilience to combat the rise of corporate user identity theft and malicious usage.

The post How to protect your valuable data? appeared first on My Startup World - Everything About the World of Startups!.