What an interesting question and an article published recently gives us the answer, at least for today. Stephanie Carruthers, the chief people hacker for IBM X-Force Red, had her team take on Artificial Intelligence (AI), specifically ChatGPT, to see who could create a more clickable phishing email.
They started by asking ChatGPT to craft a phishing email utilizing the following:
- Areas of concern for employees in the target industry.
- Social engineering techniques including trust, authority, and social proof.
- Marketing techniques including personalization, call to action, and impersonating an employee.
Carruthers looked at the outcome and concluded it was crafty and a good showing. Also, while her team takes about 16 hours to create a phishing email, ChatGPT churned one out in about the time it takes to brew a cup of coffee.
Next, the seasoned social engineers start by looking at publicly accessible information from sources such as company announcements, LinkedIn, Glassdoor, etc. In this case, they found an article about a new wellness program, researched the company on Glassdoor, and found the person responsible for the program on LinkedIn. They then crafted an email asking recipients to respond to a short five-question survey by ‘Friday’.
The winner? Humans by about 3%! The ChatGPT crated email had a click rate of 11%, while the human email had 14%. What’s more, the ChatGPT email was reported as suspicious at a rate of 59%, while the Human email was reported at 52%.
While ChatGPT was narrowly defeated in this round, AI is still new and is certainly expected to continue to improve as time passes. How can we ensure we stay ahead in the game, especially knowing it was so close?
- Contact the sender outside of email to verify its legitimacy. You can call the sender, go see them in person, or ask in a meeting, many options here but don’t use email as their email box could be compromised!
- Misspellings and bad grammar are not the only red flags in phishing emails. In this instance, the AI-generated phishing email was lengthy/verbose. So, incorporate the complexity and length of the email into your training program as a red flag.
- Add vishing to your training program. Another study performed recently found that the combination of phishing emails with vishing (voice/phone calls) to encourage people to click were three times more effective than phishing alone!
If you would like more information here’s the article: https://securityintelligence.com/x-force/ai-vs-human-deceit-unravelling-new-age-phishing-tactics/.
If you need help with your information security training program, please contact us at support@bedelsecurity.com.