FBI's Misguidance Exposed: The Provided Guidance for Gmail Security Breaches is Entirely Ineffective
Alerting that the Federal Bureau of Investigation might be off the mark, significantly so, about their suggested precautions for individuals potentially falling victim to email phishing scams isn't what I anticipated addressing today, yet here we are. Google has already notified Gmail users of yet another wave of fraudulent attacks, singling out three notorious methods of attack, and the guidance provided is mostly reasonable and sensible. The FBI, however, has also issued alerts regarding seasonal phishing scams, and a portion of their guidance, as per numerous cybersecurity experts, is decidedly misguided. Here's what you need to know.
Where the FBI's Phishing Mitigation Council Goes Astray
The FBI recently issued a fresh warning concerning the hazards of seasonal phishing assaults against Gmail, Outlook, and Apple Mail users. The suggestions presented for countermeasures were, generally speaking, reliable enough. However, one particular recommendation, still being promoted by the FBI as if it were still valid up until 2025, is less than convincing – review the spelling used in any correspondence. Although this is pertinent in the context of URLs that employ alternative spellings and character sets to deceive the eye, it's no longer plausible to rely on attackers making spelling mistakes or exhibiting poor grammar in the language used, or so it appears. It's possible that the FBI is simply struggling to communicate effectively, and it's intending to say that spell-check errors are only relevant to links. Nonetheless, that's not the impression I, or likely countless others, are left with – particularly the non-technical public, who are the most susceptible.
What the FBI Needed to Say
In all fairness, I genuinely appreciate the FBI's public service announcements and warnings, as they often engage in exceptional work alerting the public to security concerns and how to address them. Consider the recent instance of the increased application of AI in phishing attacks against smartphone users and the advice to disconnect and create a secret code, for example. The FBI's public service announcement about AI even acknowledged that crooks use AI tools to improve language translations, thereby reducing grammatical and spelling errors for criminals targeting U.S. victims.
Referring to recent data indicating a surge in credential phishing email assaults, Callie Guenther, senior manager of cyber threat research at detection and response provider Critical Start, noted that the uptick "aligns with the expanded use of generative AI, which enables attackers to churn out convincing phishing content at scale, localize campaigns across languages, and automate deep personalization."
In other words, the FBI should be advocating for the abandonment of the outdated "review for errors" advice when it comes to mitigation, as generative AI has now advanced to a point where it's capable of creating error-free and grammatically correct phishing emails in any language. I have reached out to the FBI for a response.
- Despite the FBI's continued promotion of checking for spelling errors as a phishing mitigation strategy until 2025, cybersecurity experts agree that this advice is no longer valid due to the advancements in generative AI.
- The FBI's Phishing Mitigation Council has issued a warning about seasonal phishing attacks targeting Gmail, Outlook, and Apple Mail users, but some of their guidance, such as reviewing spelling, is deemed misguided by experts.
- Google has notified Gmail users of another wave of email phishing scams, highlighting three major attack methods, and while the suggested precautions are generally reasonable, some advice from the FBI is questionable.
- The FBI's guidance on reviewing the spelling used in emails for potential phishing scams is being challenged by cybersecurity experts, who argue that generative AI has advanced to the point where it can create error-free and grammatically correct phishing emails in any language.
- The FBI's approach to combating phishing scams, including their advice on checking for spelling mistakes, needs to be updated to reflect the current threats and technologies used by cybercriminals, according to cybersecurity experts.