AI-Powered Chatbots Present Rising Social Engineering Threats
The rise of AI-powered chatbots, such as OpenAI’s ChatGPT, has brought both excitement and concern to the tech world. While these chatbots offer impressive capabilities to generate persuasive content and functional code, they also pose a significant risk of being exploited by cyber attackers for social engineering threats.
ChatGPT and similar generative AI tools have become a double-edged sword. While they empower users with their versatility, they also provide malicious actors with a powerful means to create convincing narratives and code, including social engineering attacks. This raises concerns about the potential impact on cybersecurity, especially in the realm of social engineering.
In the past, poorly written and grammatically incorrect emails were often a red flag for phishing attempts. Cybersecurity training emphasized spotting such anomalies to protect against potential threats. However, the emergence of ChatGPT has changed the game. Even individuals with limited English proficiency can now craft flawless messages in perfect English, making it increasingly difficult to detect social engineering attempts.
OpenAI has implemented certain safeguards in ChatGPT, but these are not impenetrable, especially in the context of social engineering attacks. Malicious actors can instruct ChatGPT to generate scam emails, which can be sent with malicious links or requests attached. The process is highly efficient, with ChatGPT producing professional-looking emails quickly, as demonstrated in a sample email.
Darktrace, a cybersecurity firm, reports a surge in AI-based social engineering attacks, attributing this trend to tools like ChatGPT. These attacks are becoming more sophisticated, with phishing emails becoming longer, better punctuated, and more convincing. ChatGPT’s default tone mirrors corporate communication, making it even harder to distinguish malicious messages.
Cybercriminals are quick to adapt and learn new techniques. There are reports of discussions on dark web forums about exploiting ChatGPT for social engineering purposes. Criminals in unsupported countries are finding ways to bypass restrictions and harness the power of ChatGPT. Attackers are able to generate numerous unique messages, evading spam filters that typically look for repeated content. Furthermore, ChatGPT aids in creating polymorphic malware, making it harder to detect.
While ChatGPT primarily focuses on written communication, there are other AI tools available that can generate lifelike spoken words, mimicking specific individuals. This voice-mimicking capability opens the door to phone calls that convincingly imitate high-profile figures, adding another layer of deception to social engineering attacks.
ChatGPT is not limited to crafting emails; it can also generate cover letters and resumes at scale, exploiting job seekers in scams. Scammers are taking advantage of the ChatGPT craze by creating fake chatbot websites claiming to be based on OpenAI’s models. These sites aim to steal money and harvest personal data.
As AI-enabled attacks become more prevalent, organizations must adapt to this evolving threat landscape. Here are some strategies that can help mitigate the risks associated with AI-powered chatbots and social engineering attacks:
1. Include AI-generated content in phishing simulations to familiarize employees with AI-generated communication styles.
2. Incorporate generative AI awareness training into cybersecurity programs, emphasizing the exploitation potential of tools like ChatGPT.
3. Utilize AI-based cybersecurity tools that leverage machine learning and natural language processing to detect threats and flag suspicious communications.
4. Employ ChatGPT-based tools to identify emails written by generative AI, adding an extra layer of security.
5. Always verify the authenticity of senders in emails, chats, and texts.
6. Maintain open communication with industry peers and stay informed about emerging scams.
7. Embrace a zero-trust approach to cybersecurity, assuming threats may come from both internal and external sources.
ChatGPT is just the beginning, and similar chatbots with potential for exploitation in social engineering attacks will likely emerge soon. While these AI tools offer significant benefits, they also pose substantial risks. Staying vigilant, investing in education and advanced cybersecurity measures are crucial in staying ahead in the ongoing battle against AI-enhanced cyber threats.
