The Growing Use of AI in Phishing Campaigns

The growth of artificial intelligence (AI) has started to take over the technological world, with many individuals using this function with good intentions; however, cybercriminals have recognised the potential AI has in aiding their criminal antics. Phishing campaigns have become one of the most recent concerns involving the use of AI, especially as due to the recent improvement in this technology, it has caused AI-generated phishing emails, leading to great difficulties in detecting these scams.

For example Egress researchers published in their most recent report that AI detectors cannot tell if a phishing email has been written by a fellow AI system or a human in 71.4% of the time. The reason for these results, is that AI detectors are generally more accurate with longer sample sizes, the minimum of 250 characters being needed for this function to work accurately. However, 44.9% of phishing emails fall below the minimum character requirement, hence the lower reliability in AI phishing email detection.

Furthermore, it is not only AI generated phishing campaigns that we should be concerned about. The Egress researchers have reported that human generated phishing emails are becoming harder to detect due to the growth in the sophistication of such emails. One of the emerging popular techniques is HTML smuggling; this technique involves embedding hostile code into HTML5 and JavaScript files in order to gain access to data within a system. Another way that cybercriminals take advantage of an online user, is by sending their phishing emails to accounts that receive a lot of ‘graymail’ (mail from official companies and brand involving promotions and offers). By doing so, it means there is a higher chance that these users will click on the scamming email, and average phishing detectors find it herder to detect such emails due to the massive influx of graymail.

Phishing volumes, on average, have not increased, but it is the new obfuscation and AI methods that we need to be careful of as it is making phishing emails bypass security systems much easier, causing security defences to be less efficient. Keep on following the advice below as staying vigilant and aware is one if the best ways to keep yourself and your data safe from cybercriminals.

• Use Two-Factor Authentication (2FA): Enable 2FA wherever possible. This adds an extra layer of security even if your password is compromised.

• Keep Software Updated: Regularly update your operating system, antivirus software, and other applications to ensure you're protected against known vulnerabilities.

• Educate Yourself: Stay informed about the latest phishing techniques and trends. Universities often provide resources to help you recognise and report phishing attempts.

• Verify Requests: If you receive an email requesting personal information or action, independently verify its authenticity by contacting the organisation directly through official channels.

• Report Suspicious Emails: If you receive a suspicious email, report it to your university's IT department or the relevant authority. This can help protect others from falling victim.

You can report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk and report SMS scams by forwarding the original message to 7726.