IBM researchers said a ChatGPT-generated phishing email was almost as effective in fooling people compared to a man-made version.
Why haven’t people learned yet to simply never click a link in an email? Even if it’s not malicious, it’s still trying to track you.
Images in emails also track you fwiw, as your browser or email client has to send a request to load it. Disable loading images by default.
Not loading images is the default for Thunderbird.
To be honest, phishing emails are so bad that I don’t see how any generational AI couldn’t be better. Just making less than two typos per sentence would e enough.
Someone explained me that it may be intentional that phishing emails are so bad as it acts as a pre-filter, then you only spend time and ressources dealing with presumably very gullible people.
The typos are intentional. They filter out intelligent recipients who wouldn’t fall for the scam.
The typos have been theorized to be intentional (for that reason), but that isn’t the only theory, and afaik those theories aren’t based off conversations with the people crafting those emails.
It’s also been theorized that phishing emails frequently have typos (intentionally) to lower people’s resistance to well-crafted phishing emails, particular spear phishing.
There’s also the fact that many phishing emails are crafted by people for whom English is not their first language, and even given that, phishing emails are still better written than spam emails, so it’s quite likely that in many cases it isn’t intentional at all.
And crafting a carefully targeted phishing email took a human team around 16 hours
Ummm what? Back in college, I used to budget 30-45 minutes a page for essays. What the hell are they writing that took a team of people 16 fucking hours for a few paragraphs of text?
A targeted phishing email is usually pretty sophisticated and requires days or weeks of research. For example, you might send an email pretending to be from someone’s IT department regarding a hardware audit, and ask a user to report back with the barcode sticker on their laptop, providing them with a photo of an example tag in similar format. You’ll pretend to be a specific individual at the company, or a contractor the company actually uses, and show knowledge of the internal software and hardware, and refer to other real employees by name/email to establish trust. Most of this data will be scraped from publicly available sources like LinkedIn profiles, job listings, and photos shared on social media by employees. This process is called OSINT (Open-Source Intelligence) and it’s a fascinating rabbithole to read about. Targeted phishing attempts are much, much more sophisticated than the ones you’ll see in spam email.
