As artificial intelligence (AI) continues to advance, its applications are becoming increasingly sophisticated – and not always for the better. In the realm of cybersecurity, AI has become a double-edged sword. On one hand, it enhances security measures, aiding in detecting and neutralising threats. On the other, it provides cybercriminals with powerful tools to craft more convincing phishing emails, making it increasingly difficult for individuals to spot fraudulent attempts.
AI in Phishing: A New Level of Deception
Phishing scams have long been a threat, but AI has transformed the landscape significantly. AI-powered tools enable scammers to generate error-free, compelling emails that mimic the tone and style of legitimate organisations. These emails can be customised at scale to target individuals, making them highly personalised and more convincing.
To demonstrate, consider two emails presented below—one real and one fake. Both are crafted to appear as if they come from a reputable source, Microsoft, asking to verify account activity. However, the fake email contains subtle discrepancies designed to trick the recipient.
Can you spot the six differences between these emails?
Despite their sophistication, AI-generated phishing emails still leave subtle clues that can alert a discerning eye:
- Unusual sender email addresses: Always verify the domain name. AI might create convincing sender names, but domain spoofing can often be spotted if you look closely.
- Too-good-to-be-true offers: Be sceptical of emails making incredible offers or claims. If something sounds too good to be true, it probably is.
- Mismatched URLs: Before clicking on any link in an email, hover over it to see the actual URL. Phishing links may lead to websites that mimic legitimate ones but have slight variations in spelling or domain type.
- Requests for confidential information: Legitimate organisations will not ask for sensitive information like passwords or PINs via email.
- Urgent and threatening language: Phishers often try to create a sense of urgency to provoke immediate action. Be wary of emails pressuring you to act quickly.
To illustrate how easy it is for cybercriminals to use AI in creating phishing emails in any language, here is a fake security alert email generated with ChatGPT, first in English and then translated into French. My French is a little rusty, but I’m confident that ChatGPT has provided a fairly accurate translation that could be used to target French speakers. In the past, phishing emails were easier to spot because the phishers often weren’t native speakers of their victims’ languages, and their translations contained obvious spelling and grammar errors.
How to Protect Yourself from Phishing
- Educate yourself and others: Stay informed about the latest phishing techniques and educate your family and colleagues. Knowledge is your first line of defence.
- Use advanced email filters: Most email services offer filters that help detect phishing attempts by analysing if the emails come from trusted sources and checking for suspicious links.
- Implement multi-factor authentication (MFA): MFA adds an extra layer of security by requiring multiple forms of verification. This can significantly reduce the risk of unauthorised access, even if someone does fall for a phishing attempt.
- Regularly update your software: Keeping your operating system, browsers, and all security software up to date ensures you have the latest security patches, making it harder for phishers to exploit vulnerabilities.
- Backup your data: Regularly back up important data. In case you fall victim to a phishing attack, you will have your data secured elsewhere, minimising potential losses.
Conclusion
The arms race between cybercriminals and cybersecurity professionals is ongoing, with AI playing a significant role on both sides. While AI helps phishers create convincing and personalised emails, the same technology also powers systems that protect us from those very threats. By staying informed and cautious, you can significantly reduce your risk of falling victim to these increasingly sophisticated attacks. Remember, vigilance is key – when it comes to cybersecurity, a moment of caution can prevent a multitude of problems.