The Ultimate Showdown: AI Phishing vs. Human Social Engineers

The Rise of AI in Phishing: How Does AI Phishing Compare to Human Social Engineering?

Artificial intelligence (AI) has begun to make its way into the world of phishing, raising concerns about the potential for more dangerous and effective attacks. A recent study conducted by IBM’s X-Force Red aimed to objectively compare AI-generated phishing emails to those created by human social engineers. The results showed that while AI can produce phishing emails at a faster rate, human social engineering currently remains more effective. However, there are important considerations to keep in mind.

A Competitive Test: AI vs. Humans

The study conducted by IBM’s X-Force Red involved testing an AI-generated phishing email and a human-generated email on employees of a healthcare firm. The AI phish was developed using ChatGPT, and the human phish was crafted by experienced human social engineers. The results showed that AI can produce a phishing email in a significantly shorter amount of time compared to human engineers. However, the human-engineered phishing email had a higher click rate and was reported as suspicious to a slightly lesser extent than the AI-generated email.

The Human Advantage: Emotional Intelligence, Personalization, and Effective Headlines

Stephanie Carruthers, IBM’s Chief People Hacker, highlighted three major factors contributing to the current superiority of human social engineering over AI phishing. Firstly, humans possess emotional intelligence, the ability to understand and tap into emotions in ways that AI cannot. This allows human social engineers to weave narratives that are more compelling and seem more realistic, making recipients more likely to click on malicious links. Secondly, humans are skilled at personalization, tailoring messages to specific recipients to increase their effectiveness. Lastly, human engineers excel at creating succinct and attention-grabbing headlines that pique recipients’ curiosity.

The Close Results and Future Potential of AI Phishing

While human social engineering appears to be currently more effective than AI phishing, the results of the study were fairly close. The human phishing email achieved a 14% click rate, while the AI phishing email achieved an 11% click rate. Additionally, 52% of the human emails were reported as suspicious, compared to 59% of the AI emails. These results indicate that AI phishing has the potential to become more dangerous in the future as AI technologies continue to improve.

Prompt Engineering: The Key to AI Phishing Improvement

One area with the potential for improvement in AI phishing is prompt engineering. Prompt engineering involves optimizing the prompts given to the AI system to generate a more compelling and realistic email. Carruthers spent hours refining the prompts used in the study, acknowledging that the initial attempts were subpar. However, she believes that she achieved the best possible prompts with current technology. Prompt engineering can greatly impact the effectiveness of AI phishing and could potentially close the gap with human social engineering.

The Unknown Future of AI Phishing

The big question remains: how much will AI improve over the next few years? This question encompasses two parts: the improvement of publicly available AI and the improvement of criminal AI. Publicly available AI must adhere to compliance guardrails, limiting its data sources to the surface web. On the other hand, criminal AI has no such restrictions and can combine data from the surface web and the dark web, potentially leading to highly personalized spear-phishing attacks.

Editorial: The Potential Challenges

The rise of AI in phishing presents several challenges and concerns. The current study showed that while human social engineering is still more effective, AI phishing is closing the gap and has the potential to become more dangerous in the future. This highlights the need for increased awareness and preparedness in combating phishing attacks.

First and foremost, organizations must continue to prioritize cybersecurity training and education for employees to recognize and respond appropriately to phishing attempts. Education should emphasize the importance of verifying the authenticity of emails and not clicking on suspicious links or providing sensitive information without proper authentication.

Additionally, organizations and individuals should invest in robust cybersecurity measures, such as email filtering tools and multi-factor authentication, to provide an additional layer of protection against phishing attacks. These measures can help detect and prevent malicious emails from reaching their intended targets.

From a broader perspective, as AI technology continues to advance, there is a need for ongoing discussions regarding the ethical implications and potential regulations surrounding its use in cyberattacks. Striking the right balance between leveraging AI for positive advancements while mitigating its potential for harm requires collaboration and proactive measures from technology companies, policymakers, and the cybersecurity community.

Advice for Individuals and Organizations

When it comes to combating phishing attacks, individuals and organizations should take the following steps:

• Invest in robust cybersecurity measures, such as email filtering tools and multi-factor authentication.
• Regularly update and patch software to ensure protection against known vulnerabilities.
• Implement strong password management practices, including using unique, complex passwords and enabling two-factor authentication.
• Be cautious and skeptical of unsolicited emails, especially those requesting personal or sensitive information.
• Verify the authenticity of emails by independently contacting the sender through a trusted channel if in doubt.
• Participate in ongoing cybersecurity training and education to stay informed about the latest phishing techniques and best practices for prevention.