What devs and security teams should do now
As in usual security practice, enterprise users should always treat URLs and external inputs as untrusted, experts advised. Be cautious with links, be on the lookout for unusual behavior, and always pause to review pre-filled prompts.
“This attack, like many others, originates with a phishing email or text message, so all the usual best practices against phishing apply, including ‘don’t click on suspicious links,’” noted Henrique Teixeira, SVP of Strategy at Saviynt.
Phishing-resistant authentication should be implemented, not only during the initial use of a chatbot, but throughout the entire session, he emphasized. This would require developers to implement controls when first building apps and embedding copilots and chatbots, rather than adding controls later on.
