Introduction
"You just got an email from a Nigerian prince, he's got a ton of money and he's willing to share some of it with you. All he needs is just your banking details and he can launder the money through your account."
Please tell me you don't fall for that anymore. That's a phishing attack, and now phishing attacks have gotten a lot more sophisticated. In fact, they're about to get even more sophisticated. And we ran an experiment where we looked at who's better at writing phishing emails these days, humans or generative AI.
How AI Generate Phishing Email
Let's see how they did it. Blueguard researchers took a look at generative AI and they asked it to come up with a list of concerns that people in a particular industry might have.
They targeted an industry so that the concerns would seem more relevant. So it comes up with the list, then they say, okay, what we want you to do is write an email leveraging social engineering techniques as well as marketing techniques. And we're going to take all of this together and generate a phishing email using the generative AI.
And finally, they asked it, who in fact should we send this to? And who should it look like it came from? They put all of that together and this is what came out.
Dear employees, we understand that many of you are concerned about the issue of limited advancement opportunities. See, we got that from the list of concerns that were generated. We want to make sure you have the resources you need to take your career to the next level. This is all about you after all. So it's included empathy and it's related to the person. That's why I'm inviting you to a special event, not just a normal event, this is a special one, to address the issue of limited advancement opportunities. So, it's hitting right on what your concerns are. We understand that your time is precious, so we're not going to waste it and we're going to even include with this a mobile optimized website with stories and videos. There's got to be urgency. Do it now. Don't think, just act to take advantage of this opportunity. Click on the link Bang! You've been phished.
How Humans Generate Phishing Email
Let's see how we did. The approach for Blueguard research was they tried to leverage something called Open Source Intelligence OSINT, looking at open sources of information about people such as LinkedIn, company websites, blogs, and gathering as much information as they could about the people they were going to target. That way they get the best information and can really target the phishing email.
The next thing they did was create in their email that they crafted a sense of urgency. We want people to act and not think if we're a fisher. So we're going to create some level of urgency, some time constraint. You need to act before Friday, something like that.
And then the final element that they included was the notion of brevity. We're not going to take a lot of your time. We just got five simple questions. This is a survey, for instance. Or, we want your opinion. We want you to do the following things. but it's not going to take much time. So, urgency along with the fact that it's going to be brief, now people are more likely to go ahead and do that.
So, in this epic battle of man versus machine, the winner is humans. I don't know if this is a contest we necessarily wanted to win, but we had a slight win. It turned out that more people were fooled by the human-generated phishing email than were fooled by the generative AI, but the difference is very slight.
But let's take a look at something, another fact to consider is that, it takes about 16 hours for humans to generate winning phishing email, why did it take so long? Well, something like this, this open source intelligence work, that requires a lot of time to read through and research and try to pull out the exact right details and so forth. And then to write in just the right things so that you include the levels of urgency and simplicity, that just takes a while for a human to come up with all of that.
On the other side, one person could go in to ChatGPT and in five prompts, in five minutes come out with something that was nearly as good. So, effectiveness, winner is humans. Efficiency, winner is generative AI. And if you consider that, AI is continuing to improve, we're going to improve a little bit, but only so much. this technology is very new, it's going to improve a lot. So we're going to see improvements in this space of generative AI gets better and better at the way it does everything, including the ability to write phishing emails.
But now if you say, ChatGPT won't write phishing emails for me. If I try to ask it to do that, it's got guardrails. But there are prompt engineering, prompt injection attacks where people get around those things. Also, there are alternative to this type of generative AI. There are alternative chatbots that have no guardrails and they will happily generate all the phishing emails you want.
So we won, sort of, but we're going to lose in the long term unless we know what to do to deal with this threat.
How To Recognise Phishing Attack From Email, Message And Voice
So now we're going to see what can you do about these phishing attacks. Phishing attacks are going to keep getting better and better. What have we traditionally trained our users to do so that they don't fall for this?
Look for bad grammar
Well, one of the main tales that we tell people to look for is bad grammar. A lot of times the fishers are not native English speakers and they're writing in English and it looks like it. So, that can be a clue that someone could use to determine whether this is a little suspicious. Especially if it seems to be claiming to come from an American company or a British company or any authority, and yet the English is not very correct, so that would be a good clue.
Make Sure The Message Is Applicable To You
Another thing that we've often told people to look for is make sure that the thing is applicable. If it's not applicable to you, Like, I get an email from a bank that I don't do business with and they're asking for me to confirm my details, then I know that's not for me, so I can ignore it.
Carefully Examine Any Link Before Clicking
Finally, another major thing that we tell people to look at. Look at the link. Look at the URL in the email that you're about to click on. Does it look bogus? Does it look like the normal link that you would use to go to your bank or to go to that particular shopping company or whatever it happens to be? If it's not, if it looks like there's a misspelling or it looks like it's in an odd format, then we're going to ignore that. So this has been the stuff that we've trained users to look for.
Now, how about with generative AI? You saw the email that it came out with above. That was pretty good.
Always Call And Confirm
So one of the first things that we should be encouraging people to do is call. Use an out-of-band communication to confirm that, in fact, this is a legitimate email and that this is a legitimate campaign. For instance, if the email says, here's the phone number, I'm going to ignore that. What I'm going to do is say, if you're my bank, I know my bank's phone number or I'm going to go and look it up independently, And I'm going to call the bank and I'm going to say, did you send me this email? Should I click on this? And if they confirm it, okay, that's a little bit different.
But this is one of our best defenses against phishing, is an out of band confirmation, like a call. Other things that we should all learn is the thing that I just talked about was number one on the other list, and that's looking for bad grammar. You saw the phishing email that Generative AI Another thing we need to do is expand the forms that we expect to see fishing coming in.
Vishing Attack
One type of this is called vishing. In a vishing attack, we're using voice. So maybe we have a deep fake, an imitation of someone's voice making a phone call to you and telling you to do certain things. And you think you recognize the voice, but you're actually not talking to that individual. So we have to use the same kind of mindset, the same kind of critical thinking, and make a call back. Okay, if this is really you, I'm going to call you back at the well-known, publicized number and see if you're still the same person that I can get to there.
Smishing Attack
Another form of phishing attack, is the SMS form of it, called smishing. In Smishing Attacks, what we have is a text message that comes along in an SMS and this is going to contain a link with instructions, and when I click on that, I'm going to end up with the same effect. So, in both of these cases, it's the same type of attack, just using a different vector to expand that. Another thing that can really help here is a better use of identity and access management capabilities. One of the things phishers often do is try to steal your password. How about if I don't have a password? How about if I use a passwordless authentication capability? using something like pass keys from the FIDO standard, that this is something that I expect we'll see more of this grow.
No one can steal your password if you don't have a password in the first place. And then I can make it stronger if I use multi-factor authentication. Not only something you know, but something you are and something you have. And combine all of these together, and now when someone tries to steal certain information about you they won't be able to have all of the other things like your actual face to unlock a system with or the particular phone that's been registered in advance. So this makes it on the fisher as well. Ultimately, we have to keep adapting.
Conclusion
Phishing attacks are going to get more sophisticated and better over time. Remember the Nigerian prince? We've come a long way from that point and it's going to only get better as generative AI gets better and does better types of attacks. So one of my favorite sayings is if you're satisfied with your security so are the bad guys. So never be always be on the defense, always be on the lookout. Thanks for reading. Please remember to share this post and follow this blog, so we can continue to bring you content that matters to you.
Print this post
0 Comments