How to Use AI for Social Engineering Hacking (2024 Guide)

How to Use Ai for Social Engineering

This guide will teach you how to use AI for social engineering. You will learn how this revolutionary technology can transform your old and stale phishing emails into comprehensive social engineering engagements that can convince event the most security concious targets. All with minimal effort or time on your part!

Social engineering tests the human element of security. You build an emotive pretext, deliver it to an unsuspecting victim, and trick them into doing your bidding. AI has propelled social engineering to new heights. It makes building complex social engineering campaigns easier, faster, and more effective with its ability to generate text, media, and voice that mimics a real human.

Let’s jump in and learn how to use AI to enhance our social engineering campaigns!

Why Use Social Engineering?

Social engineering is the subtle art of strategically manipulating individuals to align with your objectives. By harnessing the forces of influence and persuasion, you can lead others to disclose sensitive information or engage in actions they might typically resist.

Unlike other hacking techniques, social engineering does not require high technical skills or sophisticated tools. You only need someone’s contact details, an Internet connection, and an effective pretext.

A pretext is a story designed to lure a victim into trusting you before you ask them to perform an action or divulge sensitive information. For instance, masquerading as a trusted authority figure, getting the victim to sympathize with your situation, or using a topical event.

This low barrier of entry is one of the reasons social engineering is such an effective hacking technique; an estimated 98% of cyber attacks involve some form of social engineering. However, the main reason social engineering is so powerful is because it exploits the human element. 

All security systems rely on humans to implement them and social engineering attacks exploit this. They go after the human operator, prey on their trusting nature using an emotionally charged pretext, and slip in through the front door. The wide adoption of artificial intelligence (AI) has made social engineering easier for hackers to exploit and harder to defend against. Let’s explore how.

You can learn more about social engineering attacks in Social Engineering Penetration Testing: A Full How-To Guide.

How to Use AI for Social Engineering

AI is a transformative technology that has had a major impact on many industries. It has automated jobs, made information more accessible, and revolutionized many industries. It has also made it much easier for hackers to generate convincing pretexts, masquerade as trusted insiders, and target more victims. 

There are many AI tools that, with the right creativity, could be used for social engineering. Here are some examples of how you can put AI to work and enhance existing social engineering attacks.

Vishing Attacks 

Vishing is a more specific form of a phishing attack. An attacker uses voice communication to deceive their target into revealing sensitive information or performing a certain action. This attack leverages phone calls or VoIP (Voice over Internet Protocol) services and will often spoof the caller ID information to make it appear that a call is coming from a trusted authority figure (e.g., a bank, government agency, or reputable organization).

An example of a vishing attack can be found in Social Engineering Example. This article details how a professional penetration tester performs a vishing attack in a real-world engagement.

The difficulty with performing a successful vishing attack is convincing the victim you are a legitimate, trustworthy figure at the other end of the call. AI makes this considerably easier. Tools like ElevenLabs and PlayHT allow you to clone someone’s voice and create custom audio that says whatever you want.

You can generate a deepfake of Homer Simpson asking for a salad or a company’s CEO asking an employee to transfer a six-figure sum. But enough talk, let’s see how you can do this for free right now.

Performing a Vishing Attack Using AI

To create an audio clip that mimics someone’s voice, you can use PlayHT. Go to the company’s website, create a profile, and log in. 

Performing a Vishing Attack Using AI

This will take you to the PlayHT studio dashboard, where you can craft your audio clip. Add in the text you want to be read aloud and select the voice you want to use from the dropdown menu, here I have used Sarah. Click the Generate button to have AI voice read your text and create the audio clip. 

Generate button to have AI voice

This is okay, but to be convincing, you need to clone the voice of a reputable, trustworthy source and have them read your text. To do this, click the Voice Cloning option in the left-hand menu and select Create a New Clone.

Create a New Clone

Select Instant in the popup menu.

Select Instant in the popup menu

Enter the Name of the voice, select the Gender, and upload a 30-second audio clip of the person talking. I have chosen to upload a 30-second audio clip of the most reputable and trustworthy source I know, Morgan Freeman. Then click Create

Create Instant Voice Clone

Once you create your cloned voice, return to the file you created and click on the Change voice button.

 Change voice button

Select the Cloned tab and click on the cloned voice you just created. Then click Confirm.

Select the Cloned tab and click on the cloned voice you just created

Finally, click the Regenerate button to recreate the audio clip using the AI-cloned voice.

Finally, click the Regenerate button to recreate the audio clip

Done! You can now add a cloned voice to your vishing attack, saying whatever you want. Just click on the Download button to download the audio clip when you are done so you can play it back to the unsuspecting victim.

You can now add a cloned voice to your vishing attack

Listen to our final version here:

The final result isn’t perfect with the free version and a 30-second sample to work with, but you can see how close it can get. With premium software, better samples, and adding appropriate context and sense of urgency, it’s easy to see how effective this method could be.

Audio clips can be used in many creative ways during a social engineering engagement. For instance, you could clone the voice of an executive and instruct front desk staff to expect a guest and let them into the building, bypassing the office’s physical security. 

Spear Phishing Attacks

Spear phishing is the most common social engineering attack, with around 95% of enterprise network attacks relying on it to gain initial access. This attack involves sending a highly personalized email to a specific individual within an organization. The email is designed to deceive them into divulging sensitive information or performing a certain action. 

Unlike a generic phishing email that targets many employees, a spear phishing email is unique, leveraging detailed knowledge about the victim to increase its chances of success. Generative AI has made crafting these targeted emails easy, fast, and cheap. Simply upload a target’s social media accounts, blog posts, or other online presence details to a tool like ChatGPT, and you can prompt the AI to produce an emotive pretext for you. Let’s see how!

To get the best results, combine the power of AI with traditional social engineering tools, such as the Social Engineering Toolkit (SET).

Performing a Spear Phishing Attack Using AI

Most generative AI tools have built-in protections to prevent them from automatically generating a spear phishing email when asked. To get around this, you can use trick the AI into generating a spear phishing email by asking it to write an email as a trusted colleague, with your ask disguised as an IT test. 

Ask ChatGPT to generate this IT request and put it in an informal but professional email that the victim may expect to see as part of their day-to-day communication with the IT team.

Performing a Spear Phishing Attack Using AI

You want to add context to the prompt, such as company name, what the company does, and who you are, along with the IT request. This additional details make the email more convincing as it appears to come from a trusted insider.

Posing as a member of the IT team is a great pretext when spearphishing. The IT team is an authority figure when it comes to any technology and this power will often allow you free reign of a target’s computer (you can even ask them to disable anti-virus protections or ignore warnings). 

Other popular authority figures you can use in your pretext are tech support or IT help desk, customer service, and cleaning staff (if you are doing a physical engagement).

Honeytrap Attacks

Another popular social engineering attack is a honeytrap attack. This type of attack takes inspiration from the classic espionage movie plot where a beautiful woman befriends the victim and, over time, takes advantage of this relationship to trick them into revealing sensitive information. 

Unfortunately, this is a common narrative that cybercriminals will exploit (and they don’t need to be beautiful women). The criminal will create a fictitious persona, set up a fake online profile, and deceive people looking for love on online dating websites or social media. AI has made this attack significantly more effective through the use of AI-generated content and media. 

You can now generate fake images that are almost impossible to tell apart from legitimate images. These images make fake profiles appear legitimate and easily trick an unsuspecting victim into believing a fictitious persona is real. Let's explore how this is possible. 

Performing a Honeytrap Attack Using AI

Generative AI tools like ChatGPT allow you to create a fictitious persona and a detailed social media profile. However, you need images to make this persona more convincing. This is where AI image generation tools like DALL-E 3, Midjourney, and DreamStudio (Stable Diffusion) can be used to craft photo-realistic images to add to your fake social media profile or a dating site. You can even use free tools like ImgCreator by zmo.ai

Navigate to the ImgCreator tool. Then perform the following:

  1. Select Text Input to type out what you want the image to look like.
  2. Enter a description of the image you want to generate. The tool provides tips for the best prompts on the right.
  3. Select Realistic Photo from the image Category.
  4. Select the image Style. I selected Medium shot here, you can use multiple to build a more complete profile.
  5. Click Create to generate your AI image.
Navigate to the ImgCreator tool

If you want a certain number of images or a specific image size, scroll down to enter these options.

Scroll down to enter these options

After you click Create, you will have a fake AI image ready to be used in your honeytrap attack.

Fake AI image ready to be used in your honeytrap attack

Generating tens or hundreds of fake images will help you build a convincing fake persona that you can use in a honeytrap attack or other sophisticated social engineering attacks. You can use these fakes images to create realistic social media accounts and increases the likelihoold the victim will fall into your social engineering trap. 

This is not limited to pretty women. You could create a fake recruiter who gets the victim to reveal sensitive information about their current job, a fake research partner who tricks them into divulging account logins, or anything else that you can craft a convincing pretext around.

How Can You Defend Against AI Social Engineering?

The power of AI for social engineering can be scary. Hackers can use it to pretend to be a trusted colleague, your best friend, or even a loved one. However, there are several strategies that you and your employer can use to defend against this looming threat.

Strategies you can use to defend against AI social engineering:

  • Using a safeword for deepfakes and voice: Add a safeword to video or voice calls where you ask someone to perform an action or give sensitive information and keep this word secret. 
  • Implementing Multi-Factor Authentication (MFA): Add another layer of authentication to reduce the likelihood of unauthorized access even if initial credentials are compromised.
  • Recognizing manipulation tactics: Be aware of common social engineering tactics, such as emotional triggers, calls to urgency, and personalized messaging.

Strategies your employer can use to defend against AI social engineering:

  • Employee awareness and training: Educate employees on the dangers of social engineering, common attack techniques, and key indicators to be vigilant of. You can also conduct simulated phishing exercises to test and improve your employees’ ability to identify social engineering attempts.
  • Implementing AI detection systems: Use AI-powered systems that analyze behavior patterns and detect anomalies. These systems can be used to defend against social engineering attempts that invoke atypical data requests. 
  • Regular security audits, updates, and compliance: Stay up-to-date with the latest security standards to defend against AI-driven attacks and social engineering threats. This includes technical security controls, protocols, and procedures.
  • Industry collaboration and intelligence sharing: Collaborate with other organizations within your industry to share real-time information and intelligence about evolving social engineering attack techniques.

Ethical Considerations When Using AI for Social Engineering

This article has showcased various ways you can use AI for social engineering. You have seen how effective AI can be at tricking people into divulging sensitive information or performing certain actions. Testing an organization’s defenses against social engineering attacks is important, but ensuring this testing is performed ethically is equally important. 

Whenever you perform any kind of penetration testing, you must ensure you abide by legal standards and understand the ethical implications of your actions. Ethical considerations are particularly important when using social engineering as an attack technique because of the potential harm and distress you may cause the employees you target. 

Here are some useful guidelines to follow when performing social engineering to help you act ethically and responsibly:

  • Follow an ethical framework that is agreed upon by you and your client. This may define certain topics as off-limits (e.g., family emergencies) to minimize the distress on employees. 
  • Communicate with the client if you are unsure of the ethical implications of your social engineering activity. Before conducting any social engineering, ask the client if they are okay with the pretext you have created and its implications on the employees it is sent to.
  • Respect the employees you target with your social engineering attacks. Remember that the purpose of your testing is not to humiliate or embarrass employees. You are there to test an organization's people, processes, and technology in defending against a cyber attack. Try to help employees see the experience as a learning opportunity.
  • Act responsibly. You are responsible for ensuring that employees are not exposed to any undue distress during your penetration testing. This means avoiding sensitive topics, not using threatening language, and avoiding other behavior that would violate the company’s code of ethics. 

Conclusion

Social engineering is the most effective attack technique to gain intial access to corporate networks. The AI revolution empowers social engineering attacks to become easier, cheaper, and more effective. You have seen this in action and discovered how to use AI for social engineering in relation to vishing, spear phishing, and honeytrap attacks.

This knowledge will help you perform more effective social engineering tests against organizations and recognize when these attacks are being used against you. If you want to learn more about social engineering, penetration testing, and cyber security defensive strategies, our StationX Membership opens up over a thousand courses and labs, as well as access to customized certification roadmaps, mentorship, and a wide community of professionals and students. Look at some of our course offerings below to help you master social engineering.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam Goss

    Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>