What is AI or Artificial Intelligence?
Artificial Intelligence is a functionality that new technologies are acquiring, which allows a device or medium (computer, machine, mobile, car, application, smart speaker, web, etc.) to engage in fluid communication with a person. To the point of answering questions, carrying on a conversation or solving problems, with a level of understanding equivalent or even superior to that of a human brain.
Are there cyber-attacks associated with the use of AI?
Unfortunately, yes. For example, the most widely used AI technology today is ChatGPT, with 400 million monthly active Users worldwide (120 million more than in 2024). So for cybercriminals it is “a new sea full of fish to catch”. And this is because nnot all programs and applications with these functionalities are equally secure. For example, vulnerabilities have already been detected in car computer assistants, Alexa-type intelligent speakers and even ChatGPT itself or similar search engines (e.g. Microsoft’s Copilot).
What precautions should we take?
Especially if we use these technologies not only on a personal level, but also professionally, we should keep the following in mind:
- Golden rule: be wary of everything and ask experts. This implies that, on a personal level, we should be careful about what we use and download, and in case of doubt, it is preferable to ask a person with a technical profile for advice. But also on a professional level, if we want to use an AI technology in the workplace, because it helps us to be more efficient or improve the quality of our work, we must first seek authorization from our line manager and the IT Dept. If we use it without having communicated it internally, in the event of a cyber-attack, we as the User would be directly responsible for that incident and the possible leakage of information.
- These technologies record and store transcripts of your conversations. It is very common for the technology’s Privacy Policy or Terms of Use to state that the technology may collect information from our messages, files and any comments we share. In addition, conversations can be reviewed by AI trainers to develop the chat and improve the system. Therefore, the personal or corporate data that we introduce are not only compromised, but are used for the benefit of the company behind it. Creating a sanctionable risk of Cybersecurity and Privacy, both for the User who enters them, as well as for the company to which they belong.
- Fake AI websites and applications. Taking advantage of ChatGPT’s popularity, unofficial pages and applications have been created to distribute malicious software (malware) or carry out cyber-attacks based on the information collected. More than 90 malicious applications have already been detected in the last year, equipped with fake AI. Therefore, certain answers given by the AI, whether it is legal or not, may contain links that redirect us to these fake websites or apps (Phishing/Pharming), because the origin AI does not check if they are, it simply finds them on the Internet and forwards them to us in response to our request.
- Always ask for sources to verify information. The information provided by the IA does not indicate the source from which it is obtained, so the truthfulness and accuracy of the information may be false or incomplete. To avoid this, we can ask questions that require sources or formulate them in such a way that they will have to provide longer answers, so that they will have more background information, and we can prevent them from inventing text.
- Pay attention to the copyright of the information provided by the chatbot.
AI-generated responses are not protected by copyright law, so they can be used freely without requesting permission or obtaining a license. In these cases, it is important to obtain permission or a license to use the content in a specific way, in order to avoid infringing the intellectual property rights of others.
IMPORTANT NOTE: If, even if you comply with all these measures, you encounter situations that do not conform to the level of security required or established in internal policies, do not hesitate to communicate this to your line manager, the CISO Security Manager and the IT department, so that they can advise you appropriately. And on a personal level he reports the cyberattack to the police authority.
*Shipment date: April 21, 2025