You might hear that 2025 will be the Year of artificial intelligence (AI) cybercrime. But the trend really began in 2024.
AI crime will prove so overwhelming that some say the only way to fight it is through AI security software. But two incredibly simple, low-tech, and common-sense techniques have emerged recently that should become everyone’s default in business and personal contexts. (I’ll tell you about those below.)
First, let’s understand how the bad guys are using AI.
The clear and present danger of AI-powered attacks
Already, we’re seeing attackers using AI to generate phishing emails with perfect grammar and personalized details for each victim. Not only is English grammar perfect but with AI, any attack can be delivered in any language.
It’s even “democratizing” the ability to launch thousands of simultaneous attacks, a feat formerly possible only by large-scale attacks by nation-states. The use of swarming AI agents in 2025 will create a new and urgent risk for companies.
Phishing and malware, of course, facilitate multifaceted ransomware attacks that have caused havoc with healthcare organizations, supply chains, and other targets. Global ransomware attacks are predicted to cost more than $265 billion annually by 2031, thanks in part to the power of AI in these attacks.
The growing quality of deepfakes, including real-time deepfakes during live video calls, invites scammers, criminals, and even state-sponsored attackers to convincingly bypass security measures and steal identities for all kinds of nefarious purposes. AI-enabled voice cloning has already proved to be a massive boon for phone-related identity theft. AI enables malicious actors to bypass face recognition. protection And AI-powered bots are being deployed to intercept and use one-time passwords in real time.
More broadly, AI can accelerate and automate just about any cyberattack. Automated vulnerability exploitation, which allows malicious actors to identify and exploit weaknesses fast, is a huge advantage for attackers. AI also boosts detection evasion, enabling attackers to maintain a persistent presence within compromised systems while minimizing their digital footprint — magnifying the potential damage from the initial breach.
Once large amounts of data are exfiltrated, AI is useful for extracting intelligence on that data’s value, enabling fast, thorough exploitation of the breach.
State-sponsored actors — especially Russia, Iran, and China — are using AI deepfakes as part of their broader election interference efforts in democracies around the world. They’re using AI to create memes impersonating or slandering the candidates they oppose and to create more convincing sock-puppet accounts, complete with AI-generated profile pictures and AI-generated bot content at a massive scale; the goal is to create astroturf campaigns that can sway elections.
Rise of AI-augmented spyware
A new HBO documentary by journalist Ronan Farrow, “Surveilled,” investigates the rapidly growing multi-billion-dollar industry of commercially available spyware. The most prominent, and probably most effective, of these products is NSO Group’s Pegasus spyware.
According to the documentary, Pegasus can enable an attacker to remotely turn on a phone’s microphone and camera, record audio and video — all without any indication on the phone that this recording is taking place — and send that content to the attacker. It can also copy and exfiltrate all the data on the phone.
While Pagasus itself does not contain or use AI, it is used in conjunction with AI tools for targeting, face recognition, data processing, pattern recognition, and other jobs.
NSO Group claims it sells Pegasus only to governments, but this claim has yet to be independently verified, and no regulation governs its sale.
Two simple solutions can defeat AI-powered attacks
The advice for protecting an organization from AI-powered cyberattacks and fraud is well known.
- Implement a robust cybersecurity policy and employ strong authentication measures, including multi-factor authentication.
- Regularly update and patch all software systems.
- Educate employees on cybersecurity awareness and best practices.
- Deploy firewalls and endpoint protection solutions.
- Secure perimeter and IoT connections.
- Adopt a zero-trust security model and enforce the principle of least privilege for access control.
- Regularly back up critical data and encrypt sensitive information.
- Conduct frequent security audits and vulnerability assessments.
- Implement network segmentation to limit potential damage from breaches.
- Develop and maintain an up-to-date incident response plan.
- Consider a people-centric security approach to address human error, a significant factor in successful cyberattacks.
Combine these practices and you can significantly enhance your organization’s cybersecurity posture and reduce the risk of successful attacks.
Though effective, those solutions are expensive, require expertise, and require ongoing iterative efforts by large numbers of employees. They’re not something one person alone can do.
So what can each of us do to better protect against AI-enhanced attacks, fraud, and spyware tools on our smartphones? In addition to the usual best practices, the FBI and Farrow emphasize two simple, easy, and completely free techniques for powerful protection. Let’s start with the FBI.
The FBI recently issued a warning about criminals exploiting generative AI to commit financial fraud on a larger scale. The warning is aimed at consumers rather than businesses, but their solution can work on a small scale within a team or between an executive and their assistant.
After listing all the many ways fraudsters can use AI to steal identities, impersonate people, and socially engineer their way into committing scams and theft, they say one effective way to verify identity quickly is to use a secret word.
Once established (not in writing… ), the secret word can serve as a fast, powerful way to instantly identify someone. And because it’s not digital or stored anywhere on the Internet, it can’t be stolen. So if your “boss” or your spouse calls you to ask you for data or to transfer funds, you can ask for the secret word to verify it’s really them.
The FBI offers other advice, such as limiting audio, video, or pictures posted online and always hanging up and calling back the person on a known number. But the secret word is the most useful advice.
Meanwhile, in his documentary, Farrow emphasizes a simple way to foil spyware: reboot your phone every day. He points out that most spyware is purged with a reboot. So rebooting every day makes sure that no spyware remains on your phone.
He also stresses the importance of keeping your OS and apps updated to the latest version. That’s my advice as well. Use good best practices generally as far as your budget will allow. But do establish a secret word with co-workers, bosses, and family members.
And reboot your phone every day.
