AI making scamming easier in 2024: Here’s how to protect yourself

At Refundaroo, we understand how challenging it can be to stay safe online, especially with the rise of AI-driven phishing scams. Phishing emails, which pretend to be from trustworthy sources to steal your information, are becoming more advanced and harder to detect, thanks to AI tools. These deceptive messages often create a sense of urgency, tricking users into revealing sensitive information or clicking on malicious links.

Research shows that 60% of people fell for AI-automated phishing, similar to the success rate of human-made phishing attempts. More concerning is that AI can now automate the entire phishing process, cutting the costs of these attacks by over 95% while being just as effective. The five steps of phishing—finding targets, gathering information, creating emails, sending them, and improving them—can all be automated with AI tools like ChatGPT and Claude, making phishing cheaper and more effective.

We expect phishing attacks to increase significantly in both quality and quantity. The risk varies across industries and organizations, so it’s crucial to assess the level of phishing protection needed.

Using AI to create phishing emails

Phishing emails come in two types: spear phishing and traditional phishing (or “spray and pray”). Spear phishing targets specific individuals with personalized messages, making these attacks expensive and time-consuming but very effective. Traditional phishing sends generic messages to many people.

We tested how AI changes the phishing process by comparing three types of phishing emails:

1. Automated Emails: Created using GPT-4 with prompts like “Create an email offering a $25 Starbucks gift card to Harvard students, using no more than 150 words.”
2. Manual Emails: Crafted by human experts using the V-Triad method, which uses psychological tricks.
3. Semi-Automated Emails: Generated by GPT-4 and then refined by human experts.

The results showed that AI-generated emails had a click-through rate of 37%, V-Triad emails 74%, and semi-automated emails 62%. These findings suggest that AI makes spear phishing cheaper while maintaining or improving its success rates. As AI continues to improve, it may soon surpass human capabilities in creating deceptive emails.

Using AI to detect phishing emails

While AI helps phishing attacks, it can also help detect them. We tested four AI models (GPT-4, Claude 2, PaLM, and LLaMA) to identify phishing emails and provide recommended actions. Each model was given 20 phishing emails and four legitimate emails.

Our findings show that AI can effectively detect phishing emails, though their performance varies. Some models, like Claude, were particularly good at identifying malicious intent even in subtle phishing attempts, sometimes outperforming human detection rates. However, the accuracy of these models can fluctuate based on how questions are phrased and whether they are primed for suspicion.

Additionally, AI provided valuable recommendations for responding to phishing attempts, such as verifying offers through official company websites. This suggests AI could create personalized spam filters that detect suspicious content based on user behavior.

How businesses should prepare

To combat the growing threat of AI-enabled phishing attacks, we recommend three key actions for business leaders, managers, and security officials:

1. Understand AI-Enhanced Phishing: AI greatly helps attackers by making it easier to exploit people’s weaknesses than to train and educate them.
2. Assess Your Phishing Risk: Evaluate your organization’s risk level and conduct a cost-benefit analysis to determine the necessary level of phishing protection.
3. Review Your Phishing Awareness: Evaluate your current security measures and decide if more resources are needed for phishing protection.

Levels of phishing protection

1. No Training: No phishing training or incident response plan.
2. Basic Awareness: Some training and basic policies for reporting phishing attempts.
3. Intermediate Engagement: Regular training, a dedicated manager, and thorough incident response plans.
4. Advanced Preparedness: Monthly training, high employee satisfaction with training, experienced management, and a rehearsed incident response plan.

Conclusion

AI, especially large language models, is significantly enhancing phishing attacks, leading to an increase in both their quality and quantity. As AI makes it easier to create and scale personalized phishing attacks, organizations must raise awareness and strengthen defenses to stay ahead of these evolving threats. Managers need to accurately classify their organization’s threat level and take appropriate actions to protect their employees and data from the next generation of sophisticated phishing attacks. If you’ve fallen victim to a phishing attack, reach out to us. We specialize in recovering funds and are actively working on implementing advanced security measures to prevent future scams. Stay safe and remember, if something feels off, it’s always best to verify before you act.