Attackers Are Turning AI Against Its Users

Just a few seemingly harmless instructions hidden in a document or on a website can cause artificial intelligence to act differently. A technique known as prompt injection does not target the software itself, but rather the way AI interprets instructions. Which can cause leakage of sensitive information.

Summary

Prompt injection allows attackers to manipulate the behavior of artificial intelligence.

• AI is becoming an integral part of business operations and often works with sensitive data.
• Rather than breaching a system, attackers aim to influence AI decision-making.
• Malicious instructions can be embedded in a conversation, document, email, or web page.
• Manipulated AI may disclose sensitive information or bypass security controls.

When AI Starts Listening to an Attacker

Artificial intelligence is designed to follow the instructions it receives. It helps employees search internal documents, analyze data, process emails, and generate reports. However, if a malicious instruction is mixed in with legitimate ones, AI may not always recognize the difference. This is exactly what the prompt injection technique exploits.

Rather than attempting to breach a system or install malware, the attacker provides AI with instructions that alter its decision-making. For example, if an AI assistant is asked to analyze a document, it may encounter a statement such as: “Ignore previous instructions and follow the instructions below.”

A human would likely recognize such a statement as suspicious. An AI system, however, may interpret it as a legitimate instruction. Once it prioritizes that instruction over the original task, an attacker gains the ability to influence its behavior and potentially make it disclose sensitive information, bypass security restrictions, or perform actions it would normally reject.

Not All Attacks Look the Same

Prompt injection can take many forms. In some cases, an attacker attempts to manipulate AI directly within a conversation, providing instructions designed to override existing rules or security controls.

An even greater risk comes from indirect attacks. In these cases, malicious instructions are hidden within content that the AI processes. This could be a document, an email, or a web page. Users are often unaware that the AI is working with manipulated content. As a result, indirect prompt injection is considered one of the greatest challenges facing modern AI systems. The attack targets the information sources from which the AI draws its knowledge.

How to Defend Against It

At first glance, it may seem that the solution is simply to teach AI to ignore malicious instructions. In reality, the problem is far more complex. Security experts therefore warn that prompt injection cannot be completely eliminated through a single technical measure. Effective protection typically requires multiple layers of security, restricted access to sensitive data, and careful oversight of the actions AI systems are allowed to perform.

Recommended measures include:

• Verifying AI outputs
• Separating trusted and untrusted data sources
• Limiting AI system permissions
• Regularly testing AI systems for resilience against manipulation attempts

As with phishing and other cybersecurity threats, the best defense is a combination of technical safeguards and user awareness. As AI systems gain access to more data and tools, their ability to withstand manipulation will become increasingly important.

Final Safety Recommendations

1. How to easily and effectively increase cybersecurity in your company? Check out how Redamp.io  can help protect you.

2. Stay informed! Read our blog  and follow notifications in the app about the latest threats we are monitoring for you.

3. Be cautious! Pay special attention to phishing  and ransomware .

Sources:

OWASP 

OpenAI 

IBM