Cybercriminals are turning to ChatGPT to generate highly convincing phishing emails, researchers have warned – so how can netizens spot the scams?
Cybersecurity firm Norton warned that criminals are turning to AI tools like ChatGPT to create “bait” to rob victims.
SCROLL DOWN FOR THE GUIDE
AI tools like ChatGPT make it much harder to spot scams (Alamy)
A report in New Scientist suggests that using ChatGPT to generate emails could cut costs for cybercrime gangs by as much as 96 percent.
ChatGPT also completely eliminates the language barrier for cybercriminal gangs around the world, warns Julia O’Toole, CEO of MyCena Security Solutions.
O’Toole said there are still ways to detect fraudulent emails generated by AI tools, but technology makes detecting fraudulent emails much harder.
She said: “Phishing has increased sharply since email scams first hit inboxes, but a lack of language and culture knowledge is still a major barrier for scammers who struggle to make their emails realistic.
“While they were still duping innocent people, many netizens were able to spot the fake and delete it.
But those days are over, she said.
ChatGPT is the “hottest topic” on the dark web right now, according to O’Toole, as cybercriminals figure out how to use it to scam victims.
Protections are built into ChatGPT to prevent it from being used in scams – but criminals are working on how to circumvent them.
She said, “ChatGPT’s quality and speed of execution make it a powerful productivity hack.
“Now criminals can multiply complex phishing campaigns and generate emails with higher chances of success faster.”
O’Toole warns that ChatGPT’s ability to generate accurate content means it can effectively impersonate anyone – and warns that AI tools that can access internet content could potentially become a “weapon of cyber mass destruction”.
She said: “Hackers can use ChatGPT to trick people into giving up their usernames and passwords for their online accounts, or it can trick people into sending money or giving out personal information to criminals while believing it is for legitimate purposes.
Cyber criminals can use complex prompts to gather the information needed to launch a “bespoke” cyberattack, she warned.
“When criminals use ChatGPT, there are no cultural barriers. When the target receives an email from their “apparent” bank or CEO, there is no linguistic evidence that the email is fake.
“The tone, context and reason for completing the bank transfer do not indicate that the email is a scam.”
Since its launch in November 2022, ChatGPT has captivated the cybercriminal community.
Posters on notorious cybercrime forums have discussed using the bot to create malware and even create new dark web marketplaces for selling stolen credit cards and other illegal goods.
There are several fake ChatGPT apps out there that collect user data – and cybersecurity provider BitDefender discovered a phishing scam that redirected users to a fake ChatGPT to collect banking details.
Cybersecurity provider Norton warned that phishing emails are the tip of the iceberg – and that cybercriminals could use ChatGPT or similar software to create entirely fake chatbots to trick internet users out of their money.
According to analytics firm SimilarWeb, ChatGPT averaged 13 million daily users in January, making it the fastest-growing internet app of all time.
TikTok took about nine months to reach 100 million users after its global launch, and Instagram more than two years.
OpenAI, a private company owned by Microsoft Corp. is supported, ChatGPT made it available to the public free of charge at the end of November.
The five ways to spot AI-generated phishing emails
Detecting phishing emails generated by ChatGPT is much more difficult than detecting human-generated emails, says Julia O’Toole, CEO of MyCena Security Solutions.
Here are five ways to tell an email is a scam:
Hover over the email address to verify it
Julia O’Toole, CEO of MyCena Security Solutions
On a PC, you can mouse over a “Contact Us” link to see where your email is really going, says O’Toole.
For each suspicious email, hover over the email address and verify that it really is from the expected domain (ie website address).
O’Toole says, “Despite the sophistication of ChatGPT, the email addresses used by phishers remain the same, so if it looks suspicious, it probably is.”
Think of the context
If your bank or other institution asks you for information urgently, you should be alert immediately.
Think about the context – why do you need this information? Why now?
O’Toole says, “Banks and security-conscious institutions avoid putting their customers in situations where confidential information is immediately requested.”
Avoid hyperlinks
Hyperlinks to banking websites embedded in an email might seem like an easy way to do things – but a reputable bank will also allow you to call.
O’Toole says, “If you receive an email asking for personal information, never click the link. First verify its authenticity.
“For example, if your bank emails you asking for personal information, hang up and call the bank back using the phone number listed on their website.”
Pay attention to the artwork
ChatGPT may be able to create a clear copy, but criminal gangs don’t have access to the right digital assets.
That means everything from page headers to the links you’re supposed to click can look wrong.
O’Toole says, “Attackers often crop and paste images of a company straight from the web, but this distorts the image, making it look faded or blurry. Poor quality images or graphics in an email could also indicate a phishing attack.
Compare each email with the legitimate website
While ChatGPT is great at generating text, it’s not great at finer details that might indicate an email is malicious, O’Toole warns.
She says: “If you receive an email that worries you, go directly to the apparent sender’s website. Are there phrases or branding they use in communication? Are these details included in the email?’
If something looks suspicious, it probably is.