Identify Phishing Scams Generated from AI
In the past few years, generative AI has grown from a specialized branch of computer science worked on by relatively few people, to a whole new branch of the computer industry with the potential of disrupting every aspect of computing, from coding to word processing, from customer service to digital art. With all the opportunities offered by generative AI technologies, we are faced with many challenges as well. One of these challenges is the fact that these technologies are now available to hackers with bad intentions. One of the first fronts where we see this new technology being misused is in the production of new phishing scams.
A New Threat
Generative AI, using tools such as ChatGPT, with its potential for all manner of content creation, has opened the door for scammers to attempt much more sophisticated phishing attacks:
An AI-driven attack can contain more targeted content. Models can be trained to mimic the language use of a given profession, hobby, or industry. This can create copy that is both more personal to the victim and closely resembles legitimate communications from these sources.
In the past, many phishing emails could be recognized by clunky wording, typos and bad grammar. This is no longer the case. Using AI tools produces well-structured and grammatically correct content.
With the advent of deepfake technology, it is possible that scammers can use samples of someone’s voice to impersonate them over the phone or in a voicemail.
Unfortunately, as generative AI becomes more sophisticated and widespread, phishing scams will also increase in sophistication and become harder to detect.
Detection of AI-Generated Phishing Attempts
However, no matter how sophisticated a phishing scam becomes, there will always be some signs that it is not legitimate. There are characteristics that all phishing attempts share, whether they are AI-generated or not:
They are unsolicited. A phishing attempt will almost always be an unexpected communication from a purportedly legitimate source.
There is a call to action. A phishing attempt is trying to get the victim to do something such as click on a link, open an attachment, or even calling an phone number.
Typically, there is a manufactured sense of urgency. Either something bad will happen (such as credit card charges or freezing of an account) if the victim doesn’t respond now, or the victim will lose out on something good (such as money owed to them or promotional discounts).
There are other signs that might be present if an e-mail is a phishing scam:
The sender has a suspicious e-mail address or domain. If there’s any mismatch between the sender and the purported source of the message, it is probably illegitimate. However, the absence of a suspicious email isn’t enough to legitimize an email, some scammers are proficient in spoofing legitimate-looking sender addresses.
Inconsistencies between this communication and earlier communications with the same source. For instance, if you’ve always communicated with the executive assistant at a company and suddenly their CEO is asking you for sensitive information. Or, if Amazon has never contacted you before to confirm a purchase, but they are now.
The URLs in the message are suspicious or obfuscated with a URL shortener. You should be suspicious of any links in an e-mail, but especially links that don’t go to the sender’s domain, short links that are just a bunch of random characters, or excessively long links.
The greetings are generic, referring to the reader as “customer” or “subscriber” rather than by name. This is typical of less-sophisticated mass e-mailings. If you receive an “important” notice from a company you do business with, and it doesn’t address you by name, be very suspicious.
Despite the use of AI, the nature of phishing will always leave some tell-tale signs. We just need to have the awareness to see them.
What to Do
What do we do in the face of newer sophisticated phishing attempts?
First off, stay vigilant! Never just assume that an e-mail that is asking you to do something is legitimate, especially if it is unsolicited.
Never click on an unsolicited link or open an unsolicited attachment.
Never give out sensitive information to any entity that you haven’t initiated contact with yourself through a verifiable channel.
Contact the alleged sender through other, verifiable channels, to confirm the communication’s legitimacy.
When you get a communication that is a phishing attempt, you should take steps to notify someone. If you’re at work, notify your IT department. This is important because if you receive a phishing attempt at work, it is more likely that your co-workers may be subject to the same attack. The IT department can work to filter e-mails and notify the company at large of a potential threat. At home you can notify your ISP, which also works to improve their own filters for phishing attempts. In Outlook 365 there is a report button in the e-mail client that allows you to report phishing attempts directly to Microsoft. Google provides the same functionality in Gmail. You should also report phishing attempts to the entity being impersonated.
You can also report phishing attempts to the Anti-Phishing Working Group at [email protected] by forwarding phishing emails. (Note that if your e-mail client supports “forward as attachment” use that, as it provides the APWG with more information about the e-mail.)
You may also have government bodies where you can report phishing. For example, in the U.S., you can report phishing attempts to the FTC at ReportFraud.ftc.gov.
What we know is that AI makes phishing much more of a threat. Even so, there are still tell-tale signs of a phishing scam. With vigilance we can avoid falling prey to them, and there are steps we can take if we are targeted.