Request A Consultation

Mass Breaches in the Age of AI

Targeted Scams & What to do About Them

Chris Clements, VP of Solutions Architecture

Companies that have suffered massive data breaches are quick to downplay the risks, but they’re ignoring the elephant in the room: the sheer volume of personal information that’s been exposed.

Nothing to See Here, Folks!

The age-old refrain of “don’t worry, your credit card numbers are safe” has become a trope when a big company gets hacked, and millions of people’s data gets exposed. And every time it happens, the company is quick to imply, “Don’t worry, folks! Nothing to see here!”  Companies that have suffered massive data breaches are quick to downplay the risks, but they’re ignoring the elephant in the room: the sheer volume of personal information that’s been exposed. This treasure trove of data may not include directly damaging info like credit card numbers or private health info, but it’s still a goldmine for cybercriminals looking to launch highly targeted social engineering attacks.

Think of it like a puzzle – each piece of exposed data is like a single puzzle piece, and on its own, it may not seem like much. But when you combine hundreds of millions of these pieces, you get a complete picture of an individual’s online life, including their interests, habits, and even their favorite hobbies. And with the recent explosion in AI, bad actors are using these powerful new tools to connect the dots—linking your email from one leak to your address from another and maybe even your purchase history from yet another breach.

Hyper-Targeted Social Engineering at Play

Social engineering attacks work by tricking a person into thinking a malicious call, email, or text message is legitimate, and the more tailored the message or content, the more likely it is to fool them into falling for the cybercriminal’s trap.  By using AI tools to sort through the mountains of exposed data, it lets attackers do things that are like a phishing email on steroids – instead of sending out a generic “your account has been compromised” message, cybercriminals can now craft emails that reference specific details about your life, making them almost impossible to distinguish from legitimate messages.

For example, a real phone call-based attack I know of personally happened to a distant relative of mine when they received a call from their “bank” wanting “to validate some suspicious activity”.  The thing is, the attackers didn’t just say something generic like “hello this is bank, password please”, they actually used the name of the victim’s real bank, a small-town community bank, spoofed the bank’s actual phone number, and they even used the name of one of the bank’s real employees.  And before you think, well that’s impressive, but I’d still never fall for that, consider this: my relative used to manage the bank.

What You Can Do

So what’s the solution here?  Unfortunately, the reality for most of us is that we’ve had so much of our data exposed from so many different sources in breach after breach that there’s no putting that cat back in the bag. On top of that, our AI tools are only going to get more sophisticated, making the attacker’s job increasingly easy if not completely automated.  With that in mind, it’s sadly now incumbent upon us to treat every inbound communication with a certain level of suspicion, and to independently verify any information or action requests.  Even if the call coming from your bank seems to pass the smell test, as soon as they ask for sensitive information or to take any account actions, it’s a good idea to hang up, look up the bank’s real number and call them back.  Doing this establishes a “trusted path” for you to verify that the source is legitimate.


About the Author

Image of Chris Clements.

Chris Clements, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, CCNP, MCSE, Network+, A+, began working in the information security field in 2001, and has a wide range of experience with information security technologies including: 

  • Firewalls
  • Intrusion Protection Systems (IPS)
  • Intrusion Detection Systems (IDS)
  • Virtual Private Networking (VPN)
  • Anti-Malware
  • Strong Authentication
  • Disk Encryption

Chris is also an expert in information security design, security compliance, and penetration testing (ethical hacking) techniques such as: 

  •  Vulnerability Assessment 
  • Man in the Middle Attacks 
  • SQL Injection 
  • Cross Site Scripting 
  • Phishing 
  • Secure Environment Breakouts 
  • Privilege Escalation 
  • Password Interception 
  • Password Cracking 

He has worked to secure hundreds of customers across North America, from Fortune 500 companies with billions in revenue to small businesses with just a few users.  He has developed in-depth security auditing and penetration testing products and service offerings and engaging end-user security awareness programs.  Chris also enjoys teaching and has led courses on information security for hundreds of students.  With his unique skill set and background in both technical operations and business management, Chris has strengths in business management, sales, and product and service delivery.