In a recent research initiative spearheaded by Chief People Hacker Stephanie "Snow" Carruthers and her team at IBM X-Force, the efficacy of phishing emails took center stage. The study, conducted in collaboration with a prominent healthcare company in Canada, delved into the comparison between phishing emails written by humans and those generated by AI, specifically ChatGPT.
The experiment aimed to shed light on the success rates of these two approaches, with a focus on a more personalized and business-oriented perspective. While two other organizations initially intended to participate, concerns about the potential success of phishing emails led them to withdraw from the study, underlining the real-world implications of such threats.
Customizing social engineering techniques to target businesses was a pivotal aspect of the research. Carruthers and her team discovered that, contrary to expectations, human-crafted phishing emails exhibited a 3% higher click rate than those generated by ChatGPT. This finding raises significant questions about the prevailing assumptions regarding the effectiveness of AI-driven phishing attacks.
The research unveiled a striking revelation - leveraging a large language model (LLM) to compose phishing emails proved significantly faster than the traditional, time-consuming manual approach. Carruthers noted that the X-Force Red team spent approximately 16 hours on research and personalization, while the LLM reduced the task to a mere five minutes. The speed and efficiency of AI in generating convincing content pose a notable concern for businesses of all sizes.
In their experimentation, IBM researchers prompted ChatGPT to create a persuasive email mimicking an internal human resources manager, incorporating social engineering and marketing techniques. Meanwhile, the X-Force Red team crafted their own phishing email based on targeted research and experience. The results were enlightening - the human-generated phishing email outperformed its AI counterpart with a 14% click rate compared to 11%.
The researchers attribute the success of human-crafted emails to their ability to resonate with human emotional intelligence and their focus on specific programs within the organization rather than broader topics. This insight is crucial for small and medium-sized businesses looking to fortify their cybersecurity defenses against evolving threats.
Despite the experiment's findings, Carruthers emphasized that the use of generative AI in phishing attacks is not yet widespread. However, tools like WormGPT, a variant of ChatGPT, are available on the black hat market, indicating potential risks in the future.
X-Force recommends taking the following precautions to keep employees from falling prey to phishing emails.
- If an email seems suspicious, call the sender and double check on the origin of the email.
- Don’t assume all spam emails will have incorrect grammar or spelling; instead, look for longer-than-usual emails, which may be a byproduct of AI generation.
- Train employees on how to avoid phishing by email or phone.
- Use advanced identity and access management controls such as multifactor authentication.
- Regularly update internal tactics, techniques, procedures, threat detection systems and employee training materials to keep up with advancements in generative AI and other technologies malicious actors might use.
As phishing remains a prevalent vector for cybersecurity incidents, Carruthers recommends continuous vigilance and regular updates to internal security protocols. For businesses looking to bolster their defenses, adopting multifactor authentication and staying informed about advancements in generative AI and other technologies are imperative measures.
Other Posts you might be interested in:
Microsoft addressed a data exposure incident stemming from AI researchers inadvertently sharing open-source training data on GitHub, leading to the exposure of 38TB of private information. The swift mitigation measures highlight the importance of secure data practices in the context of AI-driven initiatives.
Read More
Microsoft and HPE faced separate breaches by the state-sponsored threat group Midnight Blizzard, with the latter's attack involving data theft from HPE's cloud-based email environment. Both incidents were initiated through password spray attacks, emphasizing the need for organizations to implement multifactor authentication and robust security measures. The challenges posed by nation-state actors underscore the importance of thorough incident response plans and heightened security standards to adapt to the evolving threat landscape.
Read More
As companies generate and accumulate increasingly large amounts of data, it becomes essential for them to develop and implement data retention policies. These policies help companies manage their data in a consistent and secure manner while also ensuring they comply with legal requirements and regulations.
Read More