Fraudsters are increasingly using generative AI to perpetrate cyber scams.
Google has become the latest company to fall victim to cyber criminals increasingly using artificial intelligence (AI) to bypass security measures and trick users with highly-realistic documents that install malware on networks.
This Google attack, following a similar incident targeting Microsoft SharePoint servers globally, was confirmed earlier this week.
Google, one of the so-called “Magnificent Seven” US tech companies, revealed that one of its corporate Salesforce instances was compromised by a financially-motivated threat cluster known as UNC6040.
AI is rapidly becoming hackers’ tool of choice for crafting convincing e-mails and phone calls that mimic familiar voices or sound authentically human. E-mails often include attachments that appear legitimate, prompting recipients to click and unwittingly allow malware to infiltrate networks. Meanwhile, phone calls push targets to click links sent via SMS or WhatsApp.
Richard Cassidy, Europe, Middle East and Africa chief information security officer at Rubrik, says: “We are definitely seeing these incidents become more prevalent. What’s driving this surge is a combination of rapidly-evolving AI-enabled attack tools, and the ever-expanding attack surfaces created by widespread digitalisation, without proportional investment in cyber resilience.”
In South Africa, the challenge is even more acute, says Cassidy. “Digital transformation has moved faster than security maturity, making the country a testing ground for new threats. These attacks aren’t just about elite targeting; they’re happening because today’s attackers have more tools, more entry points and greater confidence in their ability to evade detection.”
A UC Berkeley paper published in January noted that the widespread availability of large language models has drastically lowered barriers for criminals to persuade victims to click malicious links. “Criminals can now generate highly-customised phishing e-mails, convincingly fake voices for social engineering attacks and streamline reconnaissance,” the paper said.
Kerissa Varma, chief security advisor for Africa at Microsoft, says its latest threat intelligence “reveals an unprecedented wave of cyber risks”. In the past year, Microsoft blocked $4 billion in fraud attempts, many using deepfake technology and AI-generated content to deceive even vigilant users.
The situation is likely more prevalent than the public is aware of as companies are potentially not disclosing all the breaches, says Jacqui Muller, researcher at Belgium Campus iTversity.
“Attackers are now bypassing traditional defences, targeting critical business applications, financial systems and educational institutions,” Varma added.
Ferné Nagy, executive financial advisor at ASI Financial Services, says fraudsters are increasingly using generative AI to craft more realistic phishing e-mails. “They’re also using AI voice clones… In some cases, deepfake videos or fake Zoom calls are being used in broader scams.”
ICT veteran commentator Adrian Schofield notes the threat is not just technological but also a human challenge.
The UNC6040 group targets Salesforce environments by impersonating IT support to deceive employees into installing malicious connected apps, often disguised as Salesforce’s Data Loader. This enables the attackers to covertly access networks and extract sensitive data.
Towards the end of last month, Microsoft confirmed its SharePoint server had been hacked, attributing the breach to two Chinese state-linked hacking groups known as Linen Typhoon and Violet Typhoon.
South Africa’s National Treasury also confirmed it had been targeted by these groups, who exploited vulnerabilities in internet-facing SharePoint servers. Malware was identified on its Infrastructure Reporting Model website, an online system that monitors public spending on infrastructure.
The finance department said its systems and websites continue to operate normally despite the attack. However, ITWeb has reliably learned that other government entities have also been affected, though details on specific departments and state-owned entities remain unconfirmed.
In the most recent attack, Google said it “responded to the activity, performed an impact analysis and began mitigations”. The breach affected systems storing contact information and related notes for small and medium businesses.
“Analysis revealed that data was retrieved by the threat actor during a small window before access was cut off. The data retrieved was confined to basic and largely publicly available business information, such as business names and contact details,” Google said.
Google also reported that the extortion involved calls or e-mails to victim organisation employees demanding Bitcoin payments within 72 hours. During these communications, the threat actors have consistently claimed to be the group known as ShinyHunters.
SentinelLABS and Beazley Security recently uncovered and analysed a rapidly-evolving series of infostealer campaigns delivering the Python-based PXA Stealer. This malware uses Telegram bots to sell stolen data in a manner that is nearly undetectable.
The actors, reportedly Vietnamese hackers, have compromised more than 4 000 unique victim IP addresses across at least 62 countries, including South Korea, the United States, the Netherlands, Hungary and Austria.
In addition to Google, US-based networking giant Cisco reported falling victim to a vishing attack late last month. Hackers used social engineering calls to trick people into revealing sensitive information.
Cisco confirmed the attackers accessed and exported a subset of basic profile information from one instance of a third-party, cloud-based customer relationship management system it uses.
