95% believe LLMs making phishing detection more challenging

More than 95% of responding IT and security professionals believe social engineering attacks have become more sophisticated in the last year, according to LastPass.

Recent AI advancements, particularly generative AI, have empowered cybercriminals to coordinate social engineering assaults with unprecedented precision and customization. Phishing and other social engineering attacks manipulate people into sharing information they shouldn’t or making other mistakes that compromise their personal or organizational security.

Psychological manipulation through social engineering will continue to be a pervasive threat to businesses and their employees in 2024. Employees are the first line of defense in safeguarding a company’s sensitive data. Yet, they are also its weakest link and can be easily manipulated by bad actors seeking sensitive data and credentials. The first step in combating social engineering is recognizing the problem and its prevalence.

The efficacy of phishing testing programs

More than 95% of respondents believe dynamic content through Large Language Models (LLMs) makes detecting phishing attempts more challenging.

81% of reporting businesses have seen increased phishing attacks in the past year. Phishing will remain the top social engineering threat to businesses throughout 2024, surpassing other threats like business email compromise, vishing, smishing or baiting.

Dynamic content (a/k/a adaptive content) in emails through Gen AI is making detecting phishing attempts harder. This dynamic content can be tailored to the individual recipient and includes natural-sounding email copy. Gone are the days of a misspelled word or bad grammar alerting an employee to a potential phishing attack.

While 88% of respondents feel confident in their phishing testing programs, only 16% of users identify 75-100% of suspicious activity within these phishing testing programs.

This clear cognitive dissonance means that simply ticking the boxes when implementing a phishing testing program could leave your business susceptible to attacks. As social engineering becomes more sophisticated, employees and employers must actively participate in the fight against phishing attempts. To combat the evolving nature of these attacks, they must be vigilant — and as adaptable as the threat itself.

Passkey adoption key to eradicating social engineering

78% of participating organizations recognize that replacing passwords with passkeys will enhance resilience against social engineering. Additionally, 96% of respondents plan to adopt passkeys, and many organizations are actively working to migrate employees away from passwords to mitigate social engineering risks.

The adoption of passkeys will be a crucial step in the eradication of social engineering attacks. When you remove the password, you eliminate the phishable key to your company’s data.

Adapting to the evolving nature of social engineering attacks, particularly phishing, is crucial to the integrity and safety of your business’s data. Ultimately, though, the elimination of passwords will be the strongest defense against a type of attack that manipulates human fallibility.

61% of respondents use a password manager to prevent user credentials from being exposed via social engineering.

“In the evolving landscape of AI-fueled social engineering attacks, our security practices must be just as adaptable as the threat itself,” said Alex Cox, director of threat intelligence at LastPass. “It’s clear that IT and security leaders recognize the salience of this threat, as well as the ultimate solution to safeguarding their businesses’ data: a security future that is free from passwords.”

Measures to protect against social engineering

Social engineering attacks are so popular because they are comparatively easy to execute with a high success rate. Businesses can more successfully deter social engineering threats by understanding the nuances of prevalent attacks like phishing, baiting, business email compromise, and pretexting and educating employees accordingly. Implementing proactive measures including password managers, MFA and SSO, as well as empowering employees with knowledge, and fostering a security-conscious culture are essential to safeguarding the business.