How AI is changing phishing scams

AI language models are the hottest tech of the year, rushing people to find new, exciting ways to use it to improve their day-to-day. But just as you can use fire to cook a meal or burn down a house, you can use AI to book a trip…or initiate a phishing attack. Brace yourself for the new era of phishing schemes; and they’ll only grow more sophisticated from here.

The evolution of ChatGPT

When OpenAI released ChatGPT in November 2022, it shook the world. It’s a free, open-use AI chatbot that produces text in a convincing manner. It knows what text to deliver based on scanning the internet and improves by learning from previous interactions. If you need help writing a cover letter for your job application, ChatGPT can write one for you. In March 2023, OpenAI changed the game by releasing a ChatGPT integration, meaning people can freely use this tech in conjunction with other products. For example, an airline can integrate ChatGPT into their help support system to answer questions for customers looking to change their flights. Or Microsoft can integrate AI into Bing and Edge to enhance your browsing experience. These are just some of the ways people can use AI chatbots for good.

Microsoft Defender

Stay safer online with one easy-to-use app¹

¹Microsoft 365 Personal or Family subscription required; app available as separate download

Learn More

New threats posed by AI

Scammers see AI tech as a gold mine for phishing. You used to spot a phishing email a mile away just from its brevity and grammatical mistakes. Not anymore. ChatGPT understands about 20 languages, so cyber criminals can create more in-depth, grammatically correct emails in a variety of languages that are harder for both spam filters and the average individual to catch. And email is just the beginning.

Spear phishing with AI

Generally, regular phishing attacks prioritize quantity over quality and involve generic messages sent to unsuspecting victims with the aim to steal sensitive information. Due to the poor quality of the message and lack of details, most spam filters and individuals can easily spot these malicious emails and avoid them. On a small scale, phishing isn’t very successful, but on a large scale, the one or two victims that fall for the scheme make it worth it. In contrast, spear phishing attacks use carefully cultivated information related to the target to phish for sensitive data, usually in the form of an email, text, or phone call. The ratio of spear phishing successes to failures is much higher but doesn’t yield as many results on a large scale due to the time needed to implement a spear phishing attack—that is, until AI came along.

“Scammers see AI tech as a gold mine for phishing schemes.”

When you combine spear phishing with AI technology, you create shocking results. Scammers who hoard breached data from hacked websites can use AI technology to read that data and organize it into a highly targeted spear phishing attack. As an example, the scammer knows you visit a specific hospital and will send you an email claiming to be that hospital needing to verify your account information to pay for a bill, tricking you into handing over your credit card information to a scammer. Rather than a single cybercriminal tricking another individual into handing over private details with a targeted attack, a scammer can now train AI to do it for them. AI can then interact with individuals at a much wider scale, increasing success.

It’s not too long until spear phishing attacks resemble targeted ads. You know how you’ll be researching your favorite bands and suddenly you see ads for music festivals in your area? Real-time targeting phishing technology isn’t here yet, but it’s around the corner. Soon you may see a VIP festival ticket email in your inbox that looks legitimate but is an AI-generated phishing email aimed to steal your credit card information.

AI voice cloning tech

Like a scene from Terminator 2, voice cloning technology is here and criminals are using it to phish for your private information. Just from analyzing a small clip from an online video, scammers can replicate a voice to a chilling degree of accuracy and use it to call your loved ones pretending to be you. Let’s say your child is studying abroad for school. A scammer can duplicate their voice, pretend to be your kid, and say they got robbed and need your credit card info and other private data. At that moment, even the savviest of individuals might believe the scam and relay that info to criminals mistaking them for their child. Phishing scammers can use voice cloning tech in numerous ways, and they all involve deception, preying on the weak, and pulling at your heartstrings.

Arms race on AI technology and defense

Right now, tech companies find themselves in a bit of an arms race to release AI chatbot technology to compete with and improve upon ChatGPT. Tech companies like Microsoft stress the importance of moving into the future with responsible AI. Some have even called for a temporary halt on releasing AI technology for public use to allow time for companies to release AI to the public responsibly. Meanwhile, privacy and security companies race to develop techniques to identify AI-written phishing schemes. Since most AI use will be benign, they cannot just come up with a solution to flag any AI-created content—they need solutions to identify the source and goal of the content.

Fortunately, there’s a silver lining. Just as AI technology changed the game for phishing attacks, it has also changed the game for phishing defense. Machine learning has the opportunity to develop AI algorithms to identify real-time threats on devices and to approach cyber security in a predictive manner, rather than analyzing events after they’ve already happened. It can look for and analyze message context and identify anomalies that signal phishing attacks. Privacy and security developers are working hard to fight back.