A new study released today by IBM X-Force reveals a sizable increase in artificial intelligence-assisted cyberattacks and their ability versus humans, emphasizing an urgent need for organizations to adapt and bolster cybersecurity measures.

The study revolves around a core experiment that pitted AI against experienced human social engineers to craft phishing emails. Using OpenAI LP’s ChatGPT, the researchers provided five tailored prompts to guide the AI to develop phishing emails targeted toward specific industries.

The results were remarkable, with generative AI models able to craft convincingly deceptive phishing emails in just five minutes. In contrast, expert human social engineers were found to take about 16 hours for the same task.

The AI-generated phishing emails were found to be nearly as effective as their human-created counterparts. Human engineers leveraged open-source intelligence to gather information and then used that information to craft emails with a personal touch, emotional intelligence and an authentic feel. The human-created emails also incorporated a sense of urgency into their emails, but despite these advantages, the AI’s performance in the test was close, underscoring its potential in this domain.

Stephanie Carruthers, global head of innovation and delivery at IBM X-Force, wrote in the study that the results were so remarkable that participants walked away.

“I have nearly a decade of social engineering experience, crafted hundreds of phishing emails and I even found the AI-generated phishing emails to be fairly persuasive,” Carruthers explained. “In fact, there were three organizations who originally agreed to participate in this research project and two backed out completely after reviewing both phishing emails because they expected a high success rate.”

Although humans narrowly secured victory in the experiment, the study notes that the emergence of AI in phishing cannot be underestimated. The fact that AI tools with phishing capabilities are appearing in various forums speaks volumes about the future landscape.

The study makes several recommendations that businesses should consider to improve their digital defenses against the rise of AI-generated phishing. The first is the need for verification, especially when employees encounter suspicious or unexpected emails. Rather than relying solely on digital evidence, employees should make a direct call to the sender to clarify doubts and prevent potential breaches.

It’s recommended that businesses need to revamp their training modules. The notion that phishing emails are identifiable mainly through poor grammar and spelling errors, as they have been in the past, should be replaced with more nuanced training. Incorporating advanced techniques such as vishing — voice-based phishing — in employee training can also offer a more comprehensive defense strategy.

The study also suggests that businesses should strengthen identity and access management systems, including adopting phishing-resistant multifactor authentication mechanisms to add an additional layer of security.

“The emergence of AI in phishing attacks challenges us to reevaluate our approaches to cybersecurity,” Carruthers added. “By embracing these recommendations and staying vigilant in the face of evolving threats, we can strengthen our defenses, protect our enterprises, and ensure the security of our data and people in today’s dynamic digital age.”

Image: DALL-E 3