COMMENTARY: Let’s cut to the chase: We’re standing on the brink of a social engineering tsunami, and the force multiplier isn’t some shadowy super hacker, but the same Generative AI tools the marketing team uses to draft blog posts.Tools such as ChatGPT, Claude, and their murkier dark web cousins are being weaponized by cybercriminals and the implications are downright scary for every organization.Social engineering works because it exploits normal human traits such as impatience, curiosity, and fear. Historically, spotting fakes relied on clues like awkward language, strange sender addresses, or requests that just felt "off."[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Generative AI output can easily avoid those telltale signs and can do it in multiple languages. An IBM threat intelligence index noted a significant uptick in multilingual phishing campaigns targeting global enterprises, largely attributed to accessible AI tools lowering the technical bar for attackers.It’s now way too easy for attackers to scrape LinkedIn, corporate websites, social media, and even breached data to write emails that sound exactly like they’re coming from the CEO, HR director, or that vendor the staff emails daily. They can mimic writing styles, reference internal projects gleaned from press releases or employee posts, and even comment on recent company events.And then with convincing audio and video deepfakes – once the realm of nation-states – the tools are now shockingly accessible to most everyone. Now, an employee can get a voice call from the "CEO" that tells them to urgently wire funds, calls that sound stressed and completely realistic.Generative AI isn't coming for social engineering. It's already here, lowering the barrier-to-entry for amateur criminals, supercharging the capabilities of advanced actors. Thanks to AI, the volume, sophistication, and personalization of attacks is unprecedented. Relying on defenses designed for yesterday's threats just doesn’t make sense anymore.Organizations need to urgently invest in human risk management and next-generation security training that mirrors this new reality, double down on verification processes rooted in zero-trust, and encourage a culture of skepticism. The cost of inaction won't just result in more data breaches; it will cause the complete erosion of trust in digital communications, a bad result for everyone.Perry Carpenter, chief human risk management strategist, KnowBe4 SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Why today’s defenses are sitting ducks
Traditional security awareness training often focuses on spotting the obvious fakes: misspellings, suspicious links, generic greetings. AI obliterates these hiccups. Training modules showing poorly written emails have become obsolete because threat actors can craft flawless content, made to look genuine. Now, typos may indicate a real person behind the wheel.Is the situation hopeless? Not quite. But pretending this isn't happening, or hoping legacy training suffices invites disaster. Defense needs a radical overhaul, including the following:- Training must simulate the real future threat: Training needs to include realistic simulations of AI-generated phishing emails and, increasingly, deepfake audio/video scenarios. Employees need to hear and see convincing fakes to learn the subtle cues, such as slight unnatural blinks in video, unusual vocal stress, and context that doesn't quite fit. The reputable training hub SANS Institute recommends the need for frequent, engaging simulations that reflect today's threats.
- Reinforce zero-trust principles: Make "verify before you trust" the mantra. This means strict processes for financial transactions, credential changes, or sensitive data access, requiring out-of-band confirmation. Forrester Research consistently advocates zero-trust as the foundational model to combat evolving threats like AI-powered social engineering.
- Focus on human risk, not just technical ones: Train employees to recognize the emotional triggers used in attacks, such as urgent deadlines, fear of getting in trouble, appeals for help, too-good-to-be-true offers. It’s an old lesson that bears repeating. For 15 years the National Cybersecurity Alliance (NCA) has talked about the need for teaching users to "pause and think" before acting on any request that evokes a strong human emotion.
