The rise of sophisticated AI-powered phishing attacks has introduced a new level of threat to businesses across all sectors.
These attacks use machine learning, natural language processing and generative AI to create convincing phishing attacks that are far more sophisticated, hyper-personalised, scalable and in some cases, near impossible to detect by even the most tech-savvy of professionals.
As companies quickly adapt to digital transformation, staying aware of these AI-driven threats and understanding how to protect against them has become even more crucial.
To foster awareness of this rising threat, Vodafone Business has launched a new campaign to educate businesses, large and small, on the threat of AI-driven sophisticated cyber-attacks and the strategies businesses can employ to identify, manage and mitigate them.
As part of the campaign, we spoke to businesses across the country to find out how prepared they were to manage an advanced AI cyber-attack, and we found:
Written by Steve Knibbs
Steve Knibbs leads Vodafone’s secure division, Vodafone Business Security Enhanced (VBSE) – a full Sell, Build, Run organisation delivering and running complex managed services to Public Sector, Critical National Infrastructure and large corporations, with security classifications/accreditations and UK security cleared staff.
- 94% of business leaders were concerned about falling victim to phishing and other forms of cyber-attacks.
- More than half of business leaders had been targeted by a phishing scam in the past two years.
- Those who had been targeted revealed a staggering 82% of those attempts were made over emails, 39% by phone and 22% through social media.
- Only 40% of business leaders felt suitably trained to identify and manage a phishing attempt.
- 80% of business leaders agreed that cybersecurity training would be helpful for their employees but only 64% had provided any in the past 2 years.
With such a significant and harder to detect threat on the rise, businesses both large and small must adopt a proactive, multi-layered approach to their cybersecurity, combining technical safeguards with employee education and AI-driven solutions of their own.
So, what can businesses like yours do to stay ahead of the curve and stay protected online? Let’s break it down.
What makes AI phishing so dangerous?
AI has given cybercriminals a powerful new tool to launch highly targeted, convincing attacks at scale. Malicious actors are now able to easily craft emails, messages, and even phone calls that feel incredibly real. These attacks are no longer generic: they’re specific, realistic and incredibly sneaky.
AI-driven phishing schemes often use data from social media profiles, business networks and even internal communications to craft messages that appear completely legitimate by using some of the following techniques:
- Spot-on impersonations: AI can mimic communication styles, making it hard to tell if that email from your boss is real or fake.
- Deepfake calls: Imagine receiving a voicemail from a client or your CEO, only to find out it was an AI-generated deepfake trying to scam you.
Sounds terrifying, right? And it’s not just large companies being targeted – small businesses are just as likely to fall victim because they often don’t have huge IT departments or the latest security tools. Don’t worry, however. Your business can take several measures to ensure you and your employers remain vigilant.
How to spot AI-powered phishing attempts?
While these attacks are often more sophisticated, there are still a few things you can look out for:
- Odd requests: If an email or message is asking for something unusual – like urgent money transfers or confidential info – pause for a moment and think. AI phishing often relies on creating a sense of urgency to get you to act quickly.
- Tiny details: Pay close attention to small things like email addresses or wording that’s slightly off. AI can be super accurate, but mistakes happen.
- Does it feel off? If something feels impersonal or just doesn’t sound like the person who sent it, trust your gut. AI-generated messages may miss those subtle human touches.
Make sure your team knows what to look for
One of the most effective defences is creating a culture of awareness throughout your company. Regularly training employees on how to spot phishing attempts – especially AI-driven ones – is critical. This should include:
- Simulate phishing attacks: Test your employees with fake phishing emails to see how they respond. It’s a great way to build up their defences without any real risk.
- Keep your team updated: Cybercriminals are always evolving, so make sure your team knows about the latest phishing trends, especially AI-driven ones.
- Encourage a ‘double-check’ culture: Foster a work environment where employees feel comfortable double-checking unusual requests, even if they come from senior leadership.
Strengthen your tech defences
Just like attackers are using AI to strengthen their attack strategies, so too can businesses to bolster their own defences. Here are a few technical measures you can implement to help you fight back:
- AI-powered detection tools: As phishing attacks evolve, so too must the tools used to detect them. Invest in AI-driven security software that can identify anomalies in emails and flag suspicious communications.
- Multi-factor authentication (MFA): Requiring two or more methods of verification can prevent unauthorised access, even if login credentials are stolen in a phishing attempt.
- Email security filters: Keep your email filtering systems up to date. They’re your first line of defence in catching phishing attempts before they even reach your employees. They can be configured to catch not just spam, but subtle phishing attempts as well.
Have a response plan in place
No matter how prepared you are, there’s always a chance that an attack will slip through. Having a resilient response plan in place can help mitigate the damage.
- Incident response team: Ensure your IT or security team knows how to respond swiftly to a breach, containing it before it spreads.
- Clear reporting process: Make it easy for employees to report phishing attempts or potential security incidents, with clear instructions on what to do if they fall victim.
- Post-incident reviews: After any attack, review what went wrong and how to prevent it in the future. Constant improvement is key to staying ahead.
Additionally, we would also ask the Government to consider the following policy proposals to ensure businesses are suitably equipped to manage the rising threat of AI-driven cyber scams:
- Introduce financial incentives, such as tax breaks, grants or subsidies, for businesses that invest in cybersecurity measures, including training and certification.
- Develop a nationwide PR campaign to promote Cyber Resilience Centres (CRCs) and the Cyber Essentials certification among businesses of all sizes.
- Reallocate funds within the National Cyber Security Strategy budget to support targeted local initiatives for businesses
- Promote the development and adoption of AI-driven cybersecurity tools and provide training to businesses on preventing AI-led cyber-attacks
- Establish additional Cyber Resilience Centres in underserved regions and enhance the capabilities of existing centres to offer tailored support for businesses
Instead of fearing AI phishing, businesses should use it as an opportunity to strengthen their cybersecurity defences and create a more secure environment for your business. Vodafone CybSafe for example is a great tool your business can employ to help develop a security first culture.
Remember, cybercriminals are counting on us to make mistakes—but with a little preparation, we can outsmart them and keep data safe. The key is to remain vigilant, stay informed, and never assume that you’re too small or too smart to fall victim.
No matter the size of your business, Vodafone Business offers a range of cybersecurity solutions to help keep your organisation protected online from sophisticated threats.