Chatbot Phishing Emails: What you need to know

Phishing has evolved in skill and complexity over the past few years. Proofpoint researchers have observed the evolution of phishing from threat actors spraying out thousands of emails in hopes of someone, somewhere clicking on a link to focused, sophisticated attacks against company employee login portals. In fact, a recent Proofpoint research found that 30% CISOs in KSA believe that smishing/phishing attacks are the most significant threat targeting their organisation.

You may have heard about a new chatbot technology, ChatGPT, that uses recent advances in artificial intelligence (AI) to create human-like conversations. As ChatGPT is free and available for widespread use, cybersecurity experts are looking at the risks of ChatGPT-generated phishing emails.

Proofpoint has long thwarted threat actors who use similar tools to construct phishing lures and its platforms are already blocking ChatGPT-generated phishing threats.

While chatbot spammers may generate text for the body of a phishing email, that’s only one part of the threat. Headers, senders, attachments and URLs are among the many other threat indicators.

ChatGPT isn’t changing the game for more targeted spear-phishing attacks, either. Although it can create extended prose in the style of famous authors, ChatGPT doesn’t have any specific information about how your colleagues write, which means ChatGPT is unlikely to improve highly targeted phishing attacks.

Ultimately, attackers may use ChatGPT to improve grammar or randomise attacks, but the nature of phishing threats is likely to stay the same. Robust detection systems, like those of Proofpoint, will continue to catch these chatbot scams.

How to avoid taking the bait.

It’s important to be vigilant and look for potential signs that an email may be a phish. Also, keep in mind that ChatGPT can only create text, not entire emails with logos and well-formatted, professional layouts.

In today’s evolving threat landscape, people must remain cautious and take part in regular training to stay safe and protected online.

Security awareness programs are instrumental in teaching people to look for many different aspects of messages and indicators of threats to avoid falling for a phishing scam, including:

• Not trusting the sender immediately, even if the message appears to be from a trusted source or brand
• Scrutinising the sender’s address and inspecting any links
• Looking for odd formatting or logos
• Not clicking on calls to action within the email, like “verify your account” or “log in now”
• Understanding that file-sharing links aren’t always safe

Chatbot generated phishing not only affects consumers or individuals but can also be the foothold a threat actor needs to get around the hardened corporate perimeter to be able to steal data and drop further payloads, including information stealers and ransomware. While user education reduces overall impact, there will always be a percentage of people that fall victim to the persistent and evolving threat of phishing. Therefore, having an ongoing and comprehensive cyber security awareness training in place is crucial to safeguard employees.