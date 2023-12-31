Send email phishing with the aim of making users open a malicious file or click on a link to steal credentials it is an increasingly common practice, but most scammers are not very good, and the success rate is relatively low: in 2021, the average click-through rate for a phishing campaign it was 17.8%.

Phishing emails generated by artificial intelligence, what you need to know

However, cybercriminals now have AI to write their emailswhich could significantly improve their phishing success rates, and here's why.

THE old clues For understand if something was a phishing email they were:

Asks to update e fill in personal information. The URL in the email and the URL that appears when you hover above the link are different from each other. The “From” address is an imitation of a legitimate address, especially from a well-known brand. Formatting e the design are different from what you usually receive from a brand. The content it is poorly written and may include typos. There is a sense of urgency in the message, which encourages you to quickly perform an action. The email contains an attachment you weren't expecting.

While most of these are still valid, there are a few you can cross off the list due to the introduction of AI.

When a scammer uses a Large Language Model (LLM) like ChatGPT, a few simple instructions are enough to make the email appear to be from the intended sender, therefore LLMs make no (or relatively few) grammatical errors or add extra spaces between words (unless requested).

They are not limited to just one language; AI can write the same email in any language you want and make it seem like you are dealing with a native speaker and it's also easier to create personalized phishing emails for the intended recipient.

Overall, the amount of work needed to create an effective phishing email has been drastically reduced, and as a result the number of phishing emails has increased accordingly; in the last year, there has been an increase by 1,265% in malicious phishing emails and a 967% increase in credential phishing specifically.

Due to AI, it has become much more difficult to recognize phishing emails, making it almost impossible for filtering software, according to email security provider Egress, 71% of AI-created email attacks go undetected; so, how do you recognize AI phishing emails?

Here are some ideas for understand whether a text is generated by AI or not:

Point 4 mentioned above : The formatting and design being different than what you usually get from a brand is very helpful. Compare the email to any previous communications you have from the alleged sender and if there are inconsistencies in tone, style or vocabulary, this could indicate that the message is a phishing attempt.

: The formatting and design being different than what you usually get from a brand is very helpful. and if there are inconsistencies in tone, style or vocabulary, this could indicate that the message is a phishing attempt. Point 5 : The content is poorly written and may include typos, therefore AI phishing emails may still use generic greetings , such as “Dear user” or “Dear customer”, instead of addressing the recipient by name. Also look for generic or mismatched signatures that don't align with the sender's typical signature.

: The content is poorly written and may include typos, therefore , such as “Dear user” or “Dear customer”, instead of addressing the recipient by name. Also look for generic or mismatched signatures that don't align with the sender's typical signature. Point 7: The email contains an attachment you weren't expecting and if you know the person who sent the email but don't trust the contents, contact the sender via an alternative communication method to verify whether they actually sent it.

It is therefore important for organizations to have a clear reporting process and actively follow up on reported suspected phishing emails if employees never receive feedback on a phishing email report, they are less likely to report another one; praise for intercepting one goes a long way, much more than common punishments and blame for clicking on a harmful link.

Repetitive phishing training that doesn't align with how users interact with emails, nor does it provide adequate tools to respond to ambiguous emails, it is a waste of the employee's time, money and patience.

And especially, make sure your communicationsinternal and external, do not resemble phishing attempts.