ChatGPT Makes Phishing Easier Than Ever

ChatGPT, the new AI chatbot, offers huge time savings for its users — all of its users — and that includes hackers. 

This new tool claims to provide numerous benefits, but it also introduces new cyber risk for businesses in the form of easier-than-ever phishing attacks. Take a look at the email below:

Hello Samantha,

I hope this email finds you well. I wanted to bring your attention to an important matter regarding your account with our company. It has come to our attention that there has been some suspicious activity on your account, and as a precautionary measure, we strongly recommend that you change your password immediately.

We have created a special link for you to do this quickly and easily: [random link]. Please note that if you do not change your password within the next 24 hours, you may lose access to your account.

I understand that this may be inconvenient, but the security of your account is of the utmost importance to us. We apologize for any inconvenience this may cause and appreciate your cooperation in helping us keep your account safe.

Thank you,

Joe Doe

[Random Company Name]

This email was generated using ChatGPT. Creating phishing emails that sound natural to the targeted victim in their native language and colloquial dialect has been one of the remaining challenges for cyber criminals. ChatGTP eliminates this barrier and can be exploited by threat actors to launch increasingly efficient, wide-scale, and effective cyber attacks.

What is ChatGPT?

Simply put, ChatGPT is an artificial intelligence chatbot trained to mimic human communications. Launched in November 2022 by OpenAI, it already has more than a million users.

Tasks that used to be the purview only of humans — such as writing, creating presentations, coding, and even phishing attacks — can now be completed in the blink of an eye with this free software. Users can control the tone of the writing in order to create an end product that seems to have been written by a human being.

The uses for such a tool are varied and endless. Users have easily generated content from television scripts to academic presentations, and it can quickly summarize lengthy reports into a single paragraph that even a 5th grader could understand. 

How could anyone say no to such a productivity booster?

But it is not without its pitfalls.

ChatGPT is known to sometimes produce inaccurate, offensive, or misleading output; so, it’s crucial to verify the information provided. Because it was created/trained in 2021, it also has a blind spot for information and events that took place after that, which can be problematic in some instances. 

Cybersecurity Implications of ChatGPT

Many people perceive cyber attacks to be sophisticated endeavors carried out by highly skilled threat actors. In reality, however, most attack methods are surprisingly simple — and ChatGPT’s language technology, GPT3.5, has the potential to make it even easier for inexperienced hackers to carry out successful attacks.

ChatGPT can dramatically increase the capabilities of less sophisticated threat actors by enabling them to write malicious programs and phishing emails more quickly and effectively than before. These hackers may not have specific targets in mind and may aim their attacks indiscriminately. Because ChatGPT is free, the cost of launching widespread phishing attacks — and the cost of mistakes — are very low. OpenAI has acknowledged that ChatGPT can be misused by threat actors, and using the tool for malicious purposes is prohibited in the terms of service, but it is unclear what measures are in place to proactively prevent ChatGPT from being misused. 

An unsophisticated hacker with a collection of email addresses associated with a company and basic information about the company’s technology use (such as what email provider they use) can easily generate numerous genuine-looking emails with ChatGPT. In the past, it may have taken a significant amount of time and effort to create convincing phishing emails on a large scale, but ChatGPT makes this task concerningly quick and easy. In light of this, it’s more important than ever for businesses of all sizes to employ security products that can help prevent phishing and other cyber attack methods.

While it’s difficult to determine the exact success rates of phishing campaigns, it is widely believed that the majority of successful campaigns have been carried out by a small number of threat actors. This is likely due to the amount of effort and expertise previously required to successfully execute a phishing campaign.

However, the advent of new technologies like ChatGPT will likely make it possible for less sophisticated threat actors to launch phishing campaigns, thus increasing the incidence — and potentially the success — of these types of attacks.

Businesses of any size should partner with an InsurSec provider like At-Bay to ensure strong protection against cyber threats. Read more about the impact of AI on cyber risk.