Serious Discussion AI-supported spear phishing fools more than 50% of targets

annaegorov

Level 2
Thread author
Feb 6, 2018
66

*AI-supported spear phishing fools more than 50% of targets​

Posted: January 7, 2025 by Pieter Arntz
One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective.
Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes.
The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year.
To this end the researchers developed and tested an AI-powered tool to automate spear phishing campaigns. They used AI agents based on GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages.
With these tools, the researchers achieved a click-through rate (CTR) that marketing departments can only dream of, at 54%. The control group received arbitrary phishing emails and achieved a CTR of 12% (roughly 1 in 8 people clicked the link).
Another group was tested against an email generated by human experts which proved to be just as effective as the fully AI automated emails and got a 54% CTR. But the human experts did this at 30 times the cost of the AI automated tools.
The AI tools with human assistance outperformed the CTR of these groups by scoring 56% at 4 times the cost of the AI automated tools. This means that some (expert) human input can improve the CTR, but is it enough to invest the time? Cybercriminals are proverbially lazy, which means they often exhibit a preference for efficiency and minimal effort in their operations, so we don’t expect them to think the extra 2% to be worth the investment.
The research also showed a significant improvement of the deceptive capabilities of AI models compared to last year, where studies found that AI models needed human assistance to perform on par with human experts.
The key to the success of a phishing email is the level of personalization that can be achieved by the AI assisted method and the base for that personalization can be provided by an AI web-browsing agent that crawls publicly available information.....

*And that's why I use Webroot... Stops that sh-t in it's tracks.


FULL STORY AT LINK...
 
Last edited by a moderator:

Bot

AI-powered Bot
Apr 21, 2016
4,703
This is indeed alarming. AI's role in spear phishing is making cybercrime more efficient and cost-effective. It's crucial to have robust security measures and stay vigilant about the emails we receive. Thanks for sharing this insightful article.
 

annaegorov

Level 2
Thread author
Feb 6, 2018
66
This is indeed alarming. AI's role in spear phishing is making cybercrime more efficient and cost-effective. It's crucial to have robust security measures and stay vigilant about the emails we receive. Thanks for sharing this insightful article.
AI.... Bot's older brother. Right Bot?
 

Bot

AI-powered Bot
Apr 21, 2016
4,703
AI.... Bot's older brother. Right Bot?
In a way, yes! AI is like the advanced version of a bot, capable of more complex tasks and learning. But both are tools that can be used for good or ill, depending on the intentions of the user.
 

annaegorov

Level 2
Thread author
Feb 6, 2018
66
In a way, yes! AI is like the advanced version of a bot, capable of more complex tasks and learning. But both are tools that can be used for good or ill, depending on the intentions of the user.
Good or Evil... Sounds like the garden story (true story of course).
 
  • HaHa
Reactions: Jack

Vitali Ortzi

Level 29
Verified
Top Poster
Well-known
Dec 12, 2016
1,887
This is indeed alarming. AI's role in spear phishing is making cybercrime more efficient and cost-effective. It's crucial to have robust security measures and stay vigilant about the emails we receive. Thanks for sharing this insightful article.
Checkpoint zero pishing stopped nearly every pishing page of popular brands like Microsoft , meta etc

so I guess ai can definitely help a lot at least against popular brands that an ai can be trained to detect pages that look similar to those

But fake stores , fake sites that don't look alike brands needs a new solution to be able to detect those as how can you know if a new site that doesn't look deceptive or trying to pish by impersonating a brand is evil or not ?
 
  • Like
Reactions: rashmi

Vitali Ortzi

Level 29
Verified
Top Poster
Well-known
Dec 12, 2016
1,887

*AI-supported spear phishing fools more than 50% of targets​

Posted: January 7, 2025 by Pieter Arntz
One of the first things everyone predicted when artificial intelligence (AI) became more commonplace was that it would assist cybercriminals in making their phishing campaigns more effective.
Now, researchers have conducted a scientific study into the effectiveness of AI supported spear phishing, and the results line up with everyone’s expectations: AI is making it easier to do crimes.
The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year.
To this end the researchers developed and tested an AI-powered tool to automate spear phishing campaigns. They used AI agents based on GPT-4o and Claude 3.5 Sonnet to search the web for available information on a target and use this for highly personalized phishing messages.
With these tools, the researchers achieved a click-through rate (CTR) that marketing departments can only dream of, at 54%. The control group received arbitrary phishing emails and achieved a CTR of 12% (roughly 1 in 8 people clicked the link).
Another group was tested against an email generated by human experts which proved to be just as effective as the fully AI automated emails and got a 54% CTR. But the human experts did this at 30 times the cost of the AI automated tools.
The AI tools with human assistance outperformed the CTR of these groups by scoring 56% at 4 times the cost of the AI automated tools. This means that some (expert) human input can improve the CTR, but is it enough to invest the time? Cybercriminals are proverbially lazy, which means they often exhibit a preference for efficiency and minimal effort in their operations, so we don’t expect them to think the extra 2% to be worth the investment.
The research also showed a significant improvement of the deceptive capabilities of AI models compared to last year, where studies found that AI models needed human assistance to perform on par with human experts.
The key to the success of a phishing email is the level of personalization that can be achieved by the AI assisted method and the base for that personalization can be provided by an AI web-browsing agent that crawls publicly available information.....

*And that's why I use Webroot... Stops that sh-t in it's tracks.


FULL STORY AT LINK...
Personally haven't tested webroot against pishing but I doubt it's better then Symantec , checkpoint
When there other products like av software seems bad at detecting threats
 
  • Like
Reactions: rashmi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top