Artificial intelligence is rapidly evolving, creating new avenues for fraud and cyberattacks, particularly in phishing. Security to counter those attacks has therefore taken on increased priority for many businesses and retirement plans.
According to Jeffrey Wu, a managing partner in DOL Cybersecurity LLC, AI is making cybercrime more effective, increasing risks for businesses and individuals.
AI enhances phishing attacks by generating error-free messages using GenAI, Wu says. This means it can produce realistic images, voice recordings and videos, and it can also craft personalized emails from stolen and publicly available information, Wu explains. It also enables highly targeted phishing emails—making scams more convincing—and automates phishing attempts and response processing.
“Retirement plans are in the process of becoming more prepared for the surge of AI fraud,” says Wu. “Each company, depending upon size and either internal or external resources, is addressing the fraud efforts. We have seen varying levels of preparation by the sponsor and service providers.”
To stay ahead of hackers and protect company and individual data, Wu advises a three-pronged approach: people, process and technology. He emphasizes that businesses need proper internal and external resources, best practices, continuous compliance and vetted technology providers.
“This cannot be a one-time effort, but [must be] a continues effort by all parties,” Wu states, urging businesses to remain vigilant and proactive in the face of rising AI-driven threats.
AI Empowers Low-Level Hackers
Sean Fullerton, a senior investment strategist at Allspring Global Investments, warns that AI is particularly useful for lower-level hackers, making phishing and smishing (phishing via text messages) attempts more credible.
“The low-grade—or average to below-average—hackers are benefiting most from AI,” Fullerton says. “Lately, some of the spam, phishing and smishing attempts I get are pretty well written.”
Although retirement plans rely on recordkeepers for security, Fullerton notes that regulations remain unclear about liability in cyber fraud cases.
Most recordkeepers reimburse victims to protect their reputation, but some resist.
“ERISA laws were made in 1974, so there’s no real clarity on who owns the risk for cyber fraud,” Fullerton says.
Cyber insurance remains difficult to obtain, as insurers hesitate over unpredictable risks.
To reduce threats, Fullerton recommends using strong passwords and enabling two-factor authentication.