Protecting Against AI-Powered Phishing and Social Engineering Attacks

---
title: Protecting Against AI-Powered Phishing and Social Engineering Attacks
description: Techniques to defend against sophisticated phishing schemes enhanced by artificial intelligence.
category: Security
category_context: Flags unsafe code, secrets, and insecure configurations.
---

# Rule: Validate External Inputs to Prevent AI-Powered Phishing Attacks

## Context
- **When to Apply**: Apply this rule when handling external inputs such as emails, messages, or data from untrusted sources.
- **Prerequisites**: Ensure that all external inputs are subject to validation and sanitization processes.

## Requirements
- **Input Validation**: Implement strict validation checks on all external inputs to detect and reject malicious content.
- **Sanitization**: Sanitize inputs to neutralize potentially harmful data before processing.
- **Authentication**: Verify the authenticity of the source of the input using methods like digital signatures or trusted certificates.
- **User Awareness**: Educate users on recognizing and reporting suspicious inputs that may be part of phishing schemes.

## Examples

<example>
**Good Example**: Implementing input validation and sanitization in a web application.

import re

def validate_and_sanitize_input(user_input):
    # Define a regex pattern for allowed input
    pattern = re.compile("^[a-zA-Z0-9_]+$")
    if pattern.match(user_input):
        # Input is valid and sanitized
        return user_input
    else:
        # Input is invalid
        raise ValueError("Invalid input detected.")
</example>

<example type="invalid">
**Bad Example**: Processing external input without validation or sanitization.

def process_input(user_input):
    # Directly using user input without validation
    execute_command(f"echo {user_input}")
</example>