What Is Prompt Injection? Understanding Direct Vs. Indirect Attacks on AI Language Models

Large language models (LLMs), such as ChatGPT, are increasingly utilized as digital assistants for a wide range of tasks including drafting emails, analyzing data, and generating ideas. 

However, these AI systems are not foolproof and may occasionally generate unexpected responses. One reason for this behavior is intentional manipulation by malicious actors.

This technique, known as prompt injection, involves embedding hidden instructions within text. As a result, AI tools may disregard their intended guidelines, potentially disclose sensitive information or perform unintended actions.

There are two common types:

• Direct prompt injection: The attacker talks to the AI directly, using disguised commands.
• Indirect prompt injection: Malicious instructions are hidden inside content that the AI processes later (like a web page or document).

In this article, we’ll explain what prompt injection is and why it matters, how direct and indirect attacks work, and steps you can take to protect your AI workflows. 

What is prompt injection? 

Prompt injection is a technique that hackers use to manipulate AI language models into behaving in unintended or harmful ways. In essence, it involves altering, appending, or embedding hidden instructions within user inputs or surrounding text so that the AI interprets these changes as part of its instructions. The goal is to “inject” new commands or requests that override the original prompt or intended behavior.

For example, an attacker may hide a fake prompt inside an email. So, when the AI reads it, it may generate a fake response that leaks private data. 

These types of attacks are becoming more common as more companies use increasingly more LLMs like Claude, GPT, and LLama. In fact, in 2024, over half of global firms planned to use these models. 

However, with that growth comes risk, too. So you should be careful because prompt injection had an 88% success rate in specific tests. 

Types of prompt injection 

There are two main types of prompt injection: direct and indirect.

Direct prompt injection 

In direct prompt injection, the attacker interacts with the AI tool, such as ChatGPT, through a normal prompt. They hide secret commands in plain text.

For example, a bank might use a chatbot to help with private customer data. Now, a hacker can add a hidden command to a prompt and trick the bot into disclosing sensitive details.

Indirect prompt injection 

Indirect prompt injection works in a sneakier way. The attacker does not interact with the AI at all. Instead, they hide instructions in a file or webpage.

When a user later asks the AI to read that file, the hidden commands trigger and take control.

One case in 2024 showed how risky this can be. A job seeker hid fake skills in light gray text on a resume. An AI system read the text and gave the person a higher profile score based on false data.

Direct vs indirect prompt injection

Here’s a quick overview and comparison of both direct and indirect prompt injection attacks. 

How prompt injection works

Now that we know the risks, let’s see how a prompt injection attack happens step by step:

Step 1: Study the setup

The attacker looks at your LLM environment. They check how it was trained and how it responds to prompts. This shows them where they can hide harmful instructions.

Step 2: Prepare the prompt

Next, they write a prompt that matches the way you usually talk to the AI. If you ask questions, they do the same, so it blends in.

Step 3: Add separators

They add symbols like == or -- to split the normal prompt from the hidden commands. The AI treats those commands as separate instructions.

Step 4: Test the prompt

They send the prompt to the AI to see what it does. If it does not work, they change the words or symbols until it triggers the response they want.

Step 5: Trigger the exploit

Once the attack is successful, the AI may reveal hidden rules, leak data, or perform unauthorized actions.

Key risks of prompt injection 

Prompt injection attacks are risky because you don't know when they’re triggered. 

In 2025, Pangea launched more than 300,000 prompt injection attempts as a challenge. And 10% worked when AI had only basic safety filters. It shows how easy it is to breach weak defenses. 

But this comes with so many risks. Here are some of them:

• Revealing the hidden instructions: An attacker can ask AI to show its secret settings. A security student fooled Bing Chat to show its hidden “Sydney” system prompt. This way, attackers can find weak points and take control.
• Ignoring safety rules: We all set rules that AI has to follow. But hackers can prompt it to ignore them. Sometimes they add a joke or a soft tone to slip past filters.
• Confusing the AI: Attackers can mix languages or symbols in prompts to hide commands. This can fool the AI and make it respond in unsafe ways.
• Leaking private data: Hackers can force AI to share past chats or other stored data. This can lead to major data leaks, which are quite costly.

Best practices to prevent prompt injection 

Hackers use AI more often than their target companies. That's why you should take strong steps to counter advanced attacks, such as prompt injection. 

Here are three steps you can take:

1. Clean the input

Check every piece of text that goes into your AI. Set up filters that block passwords, URLs, and suspicious characters before they reach the model. You can use Rebuff to detect and block prompt injection attempts before they cause damage.

2. Run regular attack drills 

Test your AI models with fake attacks. To do so, you can use tools like Spikee. It allows you to simulate real-world injection attempts so your system can spot and block them faster. This is an excellent way for systems to learn and improve with each attempt at prompt injection. 

3. Scan for leaked data

Use data loss prevention (DLP) tools to monitor both prompts and AI responses. These tools detect sensitive details, such as passwords, phone numbers, and API keys, and then restrict access to them. This way, only approved users can view the information.

How to stay ahead of prompt injection attacks

Prompt injection is not a future problem. It is already here and causing damage to businesses that use AI. If your company uses large language models (LLMs), you need to make security as important as performance.

The good news is that defenses are improving, too. We now have tools like Rebuff and Google Cloud DLP, along with red-team tests that find weak spots before hackers do.

So go and test your AI systems with safe attack drills and use tools to block leaks. This will show you how your AI responds and helps you identify and fix problems before they cause real harm.