Natural language processing and advanced translation capabilities make generative AI an invaluable tool for hackers. AI-generated phishing emails may not be any more dangerous than human-generated scam content, though. What should users and security pros know about the role of AI in phishing and cyberattacks?
How AI Writes Phishing Emails
Reported phishing content rose by 61% from 2021 to 2022. From malicious URLs to email scams, phishing is becoming increasingly prevalent every year. AI is the latest tool hackers are adopting to advance phishing campaigns. While AI’s natural language processing is beneficial, hackers can leverage it to create more effective phishing content.
The availability of AI-as-a-Service platforms such as ChatGPT makes it easier than ever for anyone to generate content. A hacker could show a large language model AI thousands of examples of legitimate emails, then ask it to create original emails based on those. Natural language processing (NLP) allows the AI to comprehend and recreate realistic written content — a perfect tool in phishing attacks.
Ideally, the AI generates an original email that mimics a human-written email. The hacker can ask it to customize the message to include details about a particular company, person or place. The AI can even translate the message into a different language. Hackers can effectively create completely original, personalized phishing emails in mere moments, allowing them to pivot away from recycling one malicious email among many targets.
Are AI-Generated Phishing Emails Effective?
The possibilities of AI-powered phishing may sound intimidating, but are they more dangerous than human-created phishing content? The advantages of AI-generated phishing emails mainly come down to more efficient workflows for hackers.
Early research studies have shown AI-generated phishing emails are about equally as convincing as human-generated phishing emails. Hackers are also limited in their access to AI–as-a-Service platforms. Most big developers — including OpenAI — have safeguards to prevent illegal AI model applications.
The main advantages of AI for phishing hackers are efficiency and language. Using AI to generate scam emails is faster than manually writing them out, allowing hackers to create a greater variety of phishing emails. Additionally, they can target victims anywhere in the world, thanks to easily accessible AI translation tools with NLP capabilities.
So, AI-generated phishing emails increase the risk of phishing attacks but may not necessarily be more convincing than human-generated content.
How to Defend Against AI-Generated Phishing
AI is a helpful tool for hackers, but it’s not foolproof. Security technology and users can also advance their defense strategies as phishing attacks get smarter. Users should start by staying up to date about red flags of phishing content, as these will remain relevant even with AI-generated emails.
While it may get harder to detect phishing emails at a glance, certain security steps can minimize or eliminate the potential for phishing to cause damage. Plus, new detection technologies can catch both AI- and human-written malicious emails.
Switch to Cloud Storage
Changing to cloud storage is a great way to minimize the threat of phishing emails and cyber attacks. The isolated nature of conventional data storage makes it highly vulnerable to exploitation by hackers. All a hacker needs to do is get control of one hard drive or server, and they can hold all of someone’s data hostage.
Cloud storage dodges this threat. Since the data doesn’t tie to any specific device, it’s much more difficult for hackers to delete or damage any information. Cloud-based cybersecurity can also improve resilience to hacking attempts.
For example, users can implement automated vulnerability scans to find weaknesses in their cloud security. This is great for preventing hackers from using backdoors or stolen credentials to access data in the cloud. Even if they do, it will be difficult for them to control any data fully since cloud storage is so dispersed.
Create a DIY Verification System
One DIY solution to help deter phishing messages of any kind is establishing a code system among trusted correspondents. This could include people like family, friends and co-workers. Any time those in the group email one another, they could write a specific code phrase to verify that the message is actually from them.
This code system doesn’t need to be overly complicated. The idea is simply to add a factor to emails a hacker or AI couldn’t reliably know beforehand. Make the code phrase something unusual so it's unlikely to be commonly found in an AI’s training emails.
For instance, the code could be the name of a phantom settlement, such as “Agloe, New York.” Phantom settlements are unlikely to appear frequently in emails since they are fictional places simply added to maps for copyright purposes.
Use AI Phishing Detection
Hackers aren’t the only ones using AI to innovate their methodology. Users and security pros can leverage AI models to detect phishing content, whether a human or an AI writes it.
For example, developers can use machine learning to monitor and track the natural communication patterns of legitimate email correspondents. If AI could rapidly learn an individual’s unique communication style, it could recognize fake emails that don’t match up. This applies regardless of whether a human or AI wrote the email.
One of the greatest strengths of AI-powered phishing is also a major flaw. Hackers can efficiently create believable fake emails with AI, but the communication style of those emails can’t be efficiently personalized. A hacker usually does not have the technical expertise or resources to train an AI to replicate a specific person’s writing style accurately. Phishing detection AI models can leverage this weakness to defend users.
Understanding the Risk of AI-Powered Phishing
AI can be a valuable tool for hackers when creating phishing emails. However, AI-generated emails are not necessarily more convincing than human-generated phishing content. The main red flags of phishing — such as urgent calls to action — remain relevant regardless of who or what is creating the phishing email. Users and security pros can adopt innovative techniques and technologies to protect their data from AI-powered phishing campaigns.