It’s never been easier to write convincing messages that trick you into handing over your money or personal data
ChatGPT has taken the world by storm, has reached 100 million users just two months after launch. However, media stories about the device’s uncanny ability to write human-sounding text overshadow a potentially darker reality.
In the wrong hands, a powerful chatbot (right now built into the Bing search engine) and such technologies can be abused by fraudsters and ultimately help “democratize” cybercrime to the masses. By providing a fairly inexpensive automated way to create mass fraud campaigns, it could be the start of a new wave of more convincing phishing attacks.
How cybercriminals can weaponize ChatGPT
ChatGPT is based on OpenAI’s GPT-3 family of “big language models.” As such, it has been painstakingly trained to interact with users in a conversational tone, wowing many with its naturalistic responses. It’s still early days for the product, but some early signs are troubling.
While OpenAI has built guardrails into the product to prevent its use for malicious purposes, they don’t always appear to be effective or consistent. Among others, it has been claimed that requests to write messages asking for financial assistance to flee Ukraine were flagged as fraudulent and rejected. But a separate request for help writing a bogus email informing recipients they had won the lottery was given the go-ahead. Separate reports suggest that controls designed to stop users in certain regions from accessing the tool’s application programming interface (API) have also failed.
Type prompt and voila! Criminals can also request tools to further modify such messages (most of which are still boilerplate) to their liking and exploit the output for attacks, both targeted and indiscriminate.
This is bad news for everyday internet users; indeed, cyber criminals have been seen utilizing ChatGPT for nefarious purposes on several occasions. These developments may put the ability to launch large-scale, persuasive, error-free, and even targeted cyberattacks and frauds such as business email compromise (BEC) compromise into the hands of far more people than ever before.
Indeed, most (51%) cybersecurity leaders now hope ChatGPT will be abused for successful cyberattacks within a year.
One obvious conclusion is that we all need to get better at spotting the signs of online phishing scams and prepare for a potential spike in malicious emails. Here are a few things to watch out for:
Signs you might be reading a phishing email
1. Unsolicited contact
Phishing messages usually appear suddenly. Indeed, business marketing missives can also seem very sudden. But when an unsolicited email claiming to be from a bank or other organization pops up in your inbox, you should automatically be alerted to potentially suspicious activity, doubly if it contains a link or attachment.
2. Links and attachments
As already mentioned, one of the classic methods used by scammers to achieve their goals is to embed malicious links or attach malicious files to their emails. It may surreptitiously install malware onto your device or, in the case of a link, lead you to a phishing page where they will be asked to fill in personal information. Avoid clicking links, downloading files, or opening attachments in messages even if they appear to be from a known and trusted source – unless you have verified with the sender through another channel that the message is genuine.
3. Requests for personal and financial information
What is the ultimate goal of a phishing attack? Sometimes to persuade recipients to unknowingly install malware on their machines. But in most other cases it’s to trick them into handing over personal information. These are usually sold on dark web marketplaces and then aggregated to commit identity theft and fraud. This could be a request to take a new credit line in your name, or a payment for an item with your card details, for example.
4. Pressure tactics
At the heart of phishing is a technique known as social engineering, which is basically the art of getting other people to do what you want them to do through persuasion and the exploitation of human error. Creating a sense of urgency is a classic social engineering tactic – achieved by telling victims they only have a limited time to respond or they will be fined or lose their chance to win something.
5. Something ‘free’
If something looks too good to be true, it usually is. But that doesn’t stop people from falling for freebies that don’t exist all the time. A classic example of this is the generous ‘gift’ offered to people in exchange for participating in surveys, for which they must provide personal and/or financial information. Needless to say, the victim never received the promised iPhone, gift card, money or other item.
6. The display of the original sender and domain does not match
Phishers will often try and make their email address look like it’s from a legitimate source, when it’s not. For example, by hovering over the sender’s domain, you can often see the actual email address that sent it. If the two don’t match and/or if the underlying is a long random character combination, there’s a good chance it’s a scam.
7. Foreign or general greetings
Phishing actors try to impersonate individuals from legitimate organizations in an attempt to build trust with their victims. But they may not always know the right tone to use when sending an email. If you’re used to being called by your first name by companies but then see a more formal email, that should ring alarm bells, and vice versa. Also, no authorized bank or other organization will ever send you email from addresses that end in @gmail.com.
8. Capitalize on current events or emergencies
Another classic social engineering technique is endorsing a popular news show or emergency to persuade recipients to click. This is why phishing emails spiked during COVID-19 and also why criminals spread charity scams soon after Russia invaded Ukraine. Always be skeptical of messages citing current events.
9. An unusual request
Likewise, pay attention to emails where the sender makes an unusual request. Maybe, for example, your bank asks to confirm personal and financial details via email or text, which a real bank would never do. Any email opened with “Dear customer” or “Dear (email address)” will set your alarm to ring.
10. Asking for money
Phishing is about harvesting personal information and/or installing malware. But some scams are even more direct. It goes without saying that you should never agree to hand over money to someone who sends you an unsolicited message, even if that is described as a “fee” for releasing the shipment, or a cash gift.
Grammar errors may be in the past thanks to tools like ChatGPT. But luckily, there are plenty of other warning signs to alert us to possible scams. Spend your time online, and always think about what would motivate someone to send a certain message.