Phishing 4.0: New level through AI

Dr. Matteo Große-Kampmann

Phishing 4.0: New level through AI

Phishing is still on everyone’s lips, and the threat landscape has changed for a number of reasons. Phishing is a type of digital attack that uses fraudulent emails or websites to trick users into revealing personal information such as passwords or credit card numbers.

Phishing attacks are often difficult to detect because they can mimic legitimate emails or websites. Now phishing attacks are becoming even more sophisticated, using artificial intelligence (AI) to assist. With the help of AI, attackers can create realistic and personalized phishing emails that are very difficult for even the most thorough users to detect. Attackers are constantly evolving their methods to stay one step ahead of users and businesses. As phishing attacks become more sophisticated, it is important to be vigilant and educate yourself and others on how to protect yourself from these threats.

Phishing 4.0 – A History

Phishing has been a growing problem since the beginning of the Internet, and we have written about the attack a few times on the blog as well. Regardless of whether we have conducted our own research on the subject of phishing or have drawn attention to particularly perfidious scams: The topic belongs to awareness like spinach to Popeye. But even before the Internet, there were scams. At that time, of course, not by e-mail, but by letter. Nevertheless, the past also shows that criminals were quite creative. However, due to ever faster networking and digitization, the business with criminal mails has become more and more scalable and has thus become a real plague. Spam filters and other security solutions keep trying to keep malicious emails out of inboxes, but the success is rather moderate. Also because criminals are constantly finding new methods and attack vectors to bypass these filters.

Artificial Intelligence – A Driver of Digitalization

Artificial intelligence (AI) is a branch of computer science that deals with the creation of intelligent agents. This means that systems should learn to think logically, learn and act independently anyway. Research is currently focusing on the question of how computers or programs can be created that are capable of intelligent behavior.

In practice, AI applications can be divided into different categories:

  1. Machine learning: This is a method of teaching computers to learn from data without being explicitly programmed.
  2. Natural language processing: This is about teaching computers to understand human language and respond in a way that is natural to humans.
  3. Robotics: This involves the use of robots to perform tasks that would otherwise be difficult or impossible for humans to accomplish.
  4. Predictive analytics: This is a method that uses artificial intelligence to make predictions about future events, trends, and behaviors.

The history of artificial intelligence is long and complex, dating back to the dawn of computer technology. The field of artificial intelligence was formally established at a conference in 1956 and has undergone a number of changes and developments since then. A current trend in artificial intelligence is GPT-3 (Generative Pre-trained transformer 3): GPT-3 is a machine learning platform designed to write text. The platform is currently capable of producing human-like texts and can even copy the style of a particular author. GPT-3 should also be able to understand the context of a text and produce text that is appropriate to the context. Of course, artificial intelligences are also vulnerable to attacks, but we’ll describe that in another blog post.

Phishing 4.0 – Artificial intelligence driving scale?

OpenAI is a company dedicated to research around artificial intelligence. OpenAI has now released an API that allows developers to harness some artificial intelligence features. OpenAI API is a platform that enables developers to equip applications with sophisticated artificial intelligence. The API provides tools and services that developers can use to train and deploy AI models. This API could now be exploited by attackers to formulate and send phishing emails in an even more personalized and, above all, completely automated way. The Playground can show how easy it is to do this.

So in Playground, all I have to do is enter for whom I want to write a phishing mail and the program will write me a plausible phishing message completely automatically. Of course, this can be completely automated via the API. All an attacker has to do now is insert a corresponding link and the phishing message is ready. This then only needs to be sent. Especially in combination with big data thefts, which also allow automated processing of mail addresses, names and other personal details, we need to be prepared for even better and scalable phishing waves. Especially when we pepper the message with more supposedly personal details, as seen in the video below:

How do I protect myself from Phishing 4.0?

There are a few things users can do to protect themselves from Phishing 4.0. They are not that different from the general tips on how to recognize a phishing message.

  1. Pay even more attention to domain and the sender name from which the email originates. This must be well forged or chosen for the message to appear truly authentic.
  2. Get informed: By reading this blog, you have taken another step: you should be aware that artificial intelligence is increasingly being used to create phishing emails, and even supposedly personalized emails can have a malicious purpose.
  3. Be aware that similar attacks exist for other types of communication, for example, phone calls, SMS messages and also chats.

As AWARE7, we are currently working on simple and individually applicable countermeasures. Even ones where you don’t have to rely on technology.

Photo of author

Dr. Matteo Große-Kampmann

My name is Matteo Große-Kampmann. Together with Chris Wojzechowski I founded AWARE7 GmbH in Gelsenkirchen. I completed my PhD on "Towards Understanding Attack Surfaces of Analog and Digital Threats" and am a trained ISO 27001 Lead Auditor.