Phishing dates back to 1995, when a group of hackers targeted AOL web service provider, pretending to be employees in its chat rooms. Unsuspecting users were asked to reveal passwords compromising their AOL account safety.
Nearly three decades later, phishing is one of the most common hacking and social engineering methods. CNBC reports that phishing attacks grew by 61% from 2021 to 2022, amplified by the aftermath of Covid-19. However, the situation looks even worse in 2023.
New Phishing Method in 2023
New phishing emails appeared in December 2022, with a significant increase in January 2023. They exploit OneNote documents, a digital notebook from Microsoft 365 office application suite with a .one extension.
Most popular email service providers like Gmail, Outlook, or privacy-oriented Protonmail provide phishing protection by default. However, .one files appear to efficiently bypass email threat detection systems and are now used to spread malware.
Emails, including infected .one files, can be highly sophisticated, including well-researched content about specific machine parts in targeted industrial sectors. This hints at thorough preparation, and the chances of an unsuspecting employee downloading malware are dangerously high.
New vulnerabilities are one of the reasons contemporary phishing attacks are effective. However, that wouldn’t be possible without user data, and the revolutionary ChatGPT tool provides even more possibilities.
How Hackers Improved Phishing Attacks
Phishing is part of a broader social engineering scam category. These scams rely on human error as the weakest link in any cybersecurity system. Indeed, human error is the major cause of most data breaches, but what makes people fall victim to such scams?
Firstly, phishing emails have significantly improved with the rise of social networks. The first phishing attempts had very limited user data to work with. They often started with “Dear Ms.” or “Dear Mr.” and lacked credible details.
Currently, cybercriminals can scrape public social networks like LinkedIn or public Instagram and Facebook profiles and extract valuable information like first and last names, birth dates, employment history, demographic details, and more.
They fuel these details into phishing emails to make them much more convincing. Moreover, if they deliver the malware payload via discussed OneNote files and bypass email filters, employees will likely download them if they never underwent additional security training.
Grammar was another phishing email issue; many could tell a fraudulent email solely by numerous spelling mistakes. This problem was all but gone once ChatGPT became publicly available. Let’s see how it improves phishing scams.
ChatGPT and Phishing
There are two ways ChatGPT significantly improves phishing scams. Firstly, non-English speaking hackers can use it to produce convincing emails of flawless quality. Second, phishing scams involving mirror sites now require zero coding knowledge, as ChatGPT can write efficient front-end code. Here’s how it affects specific phishing scams:
- Social engineering. Hackers utilize social network and search engine user data and use ChatGPT to produce personalized emails. The placed fraudulent backlinks can lead to malicious mirror sites written by ChatGPT.
- Spear phishing. ChatGPT can produce in-depth content regarding specific topics (like financial accounting, healthcare, education, etc.), which is sent to appropriate business departments deceiving the reader it’s legitimate.
- Whale phishing. AI-powered technologies can recognize language patterns, which can be used to impersonate a person, like the firm’s CEO or other higher-up positions.
Personalized data and sophisticated automation tools are the two main reasons phishing is still an effective hacking method. Moreso, the lack of security training increases the number of successful phishing attempts and is the third reason criminals use it.
Phishing Security Education
There’s little to be done when hackers find new vulnerabilities like the OneNote example. However, cybersecurity employee training can go a long way.
Such training should include phishing identification methods, like backlink inspection and senders’ address spoofing. But it should also encompass cybersecurity software. For example, phishing is frequently used to obtain user credentials and gain unauthorized access to business accounts. Employees should learn to use multi-factor authentication whenever possible.
Furthermore, fully-developed password managers come with a data breach scanner that will alert whether their credentials were leaked online. They can immediately take action and secure the accounts before anything bad happens.
Lastly, phishing attack simulation will allow employees to test their knowledge, and those who fail can go through secondary training to fill in the gaps.
As the saying goes, we can expect things to get a little worse before it gets better. ChatGPT will undoubtedly increase phishing scams. However, if you take action to protect your business data, you will find there are numerous efficient ways to neutralize such scams.