You are here

Home

Cyber Resilience – AI-driven Scams Getting More Convincing in 2025

Cyber Resilience – AI-driven Scams Getting More Convincing in 2025

Created: Thursday, December 26, 2024 - 13:20
Categories:
Cybersecurity, Security Preparedness

Threat actors continue to conduct targeted attacks against specific organizations and industries. The Aerospace defense giant General Dynamics recently experienced a highly targeted attack where threat actors compromised dozens of employee benefits accounts after a successful phishing campaign targeting its workers. Aerospace is not alone in experiencing these kinds of attacks, the water sector has also seen its own targeted attacks of a similar nature – when attackers impersonated the Maine CDC Drinking Water Program in January and June this year.

While these types of targeted attacks are something to always be on the lookout for, it’s important to note that attackers’ tactics are becoming more sophisticated and convincing due to artificial intelligence (AI). According to McAfee's 2025 predictions, AI-driven scams, including deepfake videos and personalized communications, are making it easier for scammers to manipulate and deceive victims, via social engineering. These scams can convincingly mimic legitimate interactions from trustworthy sources, such as banks or even family members, leading to higher success rates among attackers. Even those without technical expertise can create realistic fraudulent content, further blurring the lines between legitimate and malicious interactions. For more information, visit Help Net Security.

Previously shared guidance for defending against phishing and targeted attacks.

  • Share Information on Threats. In the case of the Maine DWP impersonation, state agencies quickly sent out a broadcast alert to targeted audiences warning them of the phishing attempt.
  • Open-Source Intelligence (OSINT).  There is a lot of information on the internet about our water systems. Become familiar with what is out there. In some cases, you can work to remove detailed and sensitive information. It takes time and persistence, but it is possible. In other cases, the information is intentionally part of the public record for citizens. Therefore, we need to be aware of this class of data so we are not fooled into trusting whoever has it because we believe only privileged sources have access to it.
  • Practice Phishing Drills. Part of every utility’s cybersecurity awareness training should include regular phishing drills for staff. CISA has free resources to assist, such as, Teach Employees to Avoid Phishing.
  • Not Sure, Call. If you are not sure that the source of an email is legitimate, call them through previously established phone numbers to confirm the request’s validity.
  • Fall for a Phish, Contact Your IT Group. If you realize after the fact that you fell for a phishing email, or you think you might have, call your information technology group to find out what to do. Everyone except the attacker will be glad you did.