Machine learning, Large Language Models (LLMs) and generative artificial intelligence (gen AI) are currently changing our lives in a variety of different fields. These new technologies are enabling surprising leaps in productivity by creating text and images that previously would have required considerably more time and effort with just a few simple prompts. Rudimentary tasks in particular will soon be able to be done entirely by artificial intelligence.
Unfortunately, these revolutionary programs can also be used for fraudulent purposes. In a previous article, we highlighted the risks of phishing attacks and best practices for protecting yourself against them. In the meantime, the situation has changed with the emergence of LLMs such as ChatGPT. It is now very easy to create texts that are flawlessly formulated – and therefore credible.
Studies by security experts such as the phishing-specialized company SlashNext have found that the number of phishing e-mails has skyrocketed by a staggering 1,265% since the launch of ChatGPT. We are therefore revisiting our best practices against phishing and providing an update on what has changed since the emergence of generative AI.
The five most common phishing methods
One of the best-known methods is sending (business) e-mails. Fraudsters present themselves as a legitimate organization like Facebook or a high-ranking executive in a company.
But the creativity of cybercriminals goes well beyond sending e-mails to random recipients, as demonstrated by the list of other common phishing methods below.
| Method | Description |
|---|---|
| E-mail phishing | Mass sending of e-mails claiming to be from legitimate organizations or executives. |
| Spear-phishing | Personalized attacks that use specific information about the target. |
| Whaling (CEO fraud) | Attacks targeted at executives such as CEOs, CFOs and COOs using their publicly available information. |
| Smishing (SMS phishing) | Fraudulent text messages demanding sensitive and other information. |
| Vishing (voice phishing) | Calls from people fraudulently claiming to be a credible institution or executive in order to solicit personal information or give instructions. |
Criminals attempt to gain access to login details and passwords both through mass e-mails and in a targeted fashion through text messages and phone calls.
Since phishing is not a new phenomenon, fortunately there are already some proven methods for protecting against it, many of which Internet users should be familiar with by now. But can they still hold up today despite the emergence of generative AI?
Artificial intelligence and phishing: what has changed?
There are various types of phishing e-mails in circulation. While advanced technologies like artificial intelligence are increasingly used to create phishing e-mails, there are still many “classic” phishing e-mails out there that often contain telltale giveaways such as grammatical and spelling errors. Nevertheless, the sharp rise in the number of phishing e-mails sent already gives an idea of how large language models affect frequency.
In conventional e-mail phishing, convincing texts can be automatically and much more quickly created than by a real person. And without the telltale grammatical and spelling errors, the higher quality simultaneously increases the credibility of a phishing e-mail. The warning signs, such as typos, language changes and unusual formulation, can therefore no longer be regarded as dead giveaways for a suspicious e-mail.
Spear-phishing and whaling, in which artificial intelligence and machine learning are used to imitate a writing style with the typical formulations of a specific person, are even more nefarious. AI could use publicly accessible texts to learn a person’s style of expression and then replicate it. If successful, it can imitate the writing style of a supervisor or relative in order to initiate contact with an executive, an employee or a trusted person.
With enough learning material, it is possible to imitate a person not only through writing but also in the form of audio recordings and video material. This method is known as deepfake, in which voices and faces are very realistically copied by AI and superimposed on other people.
There was a recent case of a successful attack on a company in Hong Kong. An employee received an e-mail demanding that various payments be made.
The employee’s initial skepticism was overcome in a subsequent video meeting in which a supervisor was imitated using deepfake technology. For the victim, it is very difficult to detect fraud in such a highly sophisticated attack. Fortunately, the scenario in question is a rare exception directed at an individual target and requiring a much higher level of criminal energy.
Current best practices against phishing attacks
So what can be done if all digital communications can potentially be manipulated in such a deceptive and realistic manner?
Most best practices against conventional phishing are still current and effective at preventing damage. Our phishing info page provides helpful tips and examples of the most common phishing e-mails that claim to be from Hostpoint AG.
The following points are more important than ever in preventing attacks, particularly in the business context:
-
Basic rules
Don’t click links in suspicious e-mails or download their attachements and never send a reply. Serious companies won’t ask you for your password. Reputable companies will in no case ask you for your password. -
Be cautious
Don’t allow yourself to be pressured, whether by a deadline or someone claiming to be a supervisor. If your gut feeling tells you something is wrong and you feel uncertain, don’t ignore it. Ask the sender in a quick verbal conversation whether everything in the message is correct. This is a good way to be sure when in doubt. -
Resilient processes
Establish processes in your company or department today that all participants can follow. Ensure that multi-factor authentication procedures are active and that people only receive the authorizations that they actually need. Obvious breaches of defined procedures can be a first warning sign of attempted fraud. -
Communication
Educate not only employees and colleagues but also friends and relatives about the risks. For emergencies, define a password that only insiders know. If a fraudster then attempts to apply pressure on the emotional level (money worries, accident), they will have a lower chance of success even if their voice sounds deceptively real.
Found a phishing e-mail?
If you notice a suspicious e-mail related to Hostpoint, you can learn more at our phishing info page and report the incident to us at phishing-report@hostpoint.ch.
I fell for a phishing attack – what now?
If you’ve fallen victim to a phishing attack in a professional or a private context, you should take action right away.
-
If the breach concerns a bank account or credit card, immediately contact your bank and have your cards blocked as quickly as possible. Do not delete the fraudulent e-mail or SMS as it could be used as evidence later. Since this is a criminal offense, you should file a criminal complaint.
-
Change your affected passwords using a different device.
-
If you’re not already doing so, start using two-factor or multi-factor authentication whenever possible.
-
To be on the safe side, it’s not a bad idea to execute an anti-virus program on the device to remove any malware that you might have picked up through the attack. This is to prevent other data, such as new passwords, from being read and captured. In case of doubt, consult an expert who can help you.
In a company, fear of (professional) consequences and embarrassment often prevent targeted employees from reporting cases of fraud immediately or in good time. This costs valuable time, as it delays the initiation of necessary countermeasures.
The sooner IT managers are informed, the better. They can assess the situation and take appropriate action. This makes it possible to protect all areas and prevent major damage.
To ensure that all the prerequisites are in place, it is extremely important for companies to establish a positive error culture and actively motivate employees to report such cases without hesitation.
«Mutual trust and open communication are among the most important pillars on which IT security is based. When an incident occurs, the effectiveness and success of countermeasures largely depends on how quickly and honestly the experts in the IT department are informed and brought in.»
One very important insight is that even highly trained personnel can be tricked by a phishing attack. With the sophisticated and ever more technically complex fraud methods out there, there’s no shame in falling victim to a scam.
Artificial intelligence as a friend and assistant
While the groundbreaking developments in areas such as machine learning can be misused for fraudulent purposes such as phishing, this does not make them bad by definition. On the contrary, these technologies also offer important capabilities in the fight against cybercrime. Particularly in the areas of early detection of and defense against harmful attacks, artificial intelligence has been in use for years and will assume an even more important role as precision and efficiency increase.
At Hostpoint, employees are also regularly made aware of and trained to identify security risks. We also invest in additional security measures for our infrastructure on a continuous basis.
Other useful sources concerning the risks of phishing include the National Cyber Security Centre (NCSC), Swiss Crime Prevention and the Internet Security Alliance (iBarry). They regularly provide information about Internet risks and help users recognize and properly respond to the latest scams.
