Would you fall for this fake email written by AI?

Attackers used artificial intelligence to write this phishing email, according to Abnormal Security. Image: Abnormal Security

BY KERRY TOMLINSON, AMPERE NEWS

Artificial intelligence is a powerful tool and cyber criminals have taken note. A new report says attackers have now employed AI to write phishing emails aimed at people at six universities.

Abnormal Security says its analysis shows the email is generated by AI and that OpenAI Detector and GPTZero confirmed the finding.

The email alerts students and staff to a monkeypox virus incident and claims to be sent by a health and wellness director at an Ivy League school.

Here's what it looks like and what you can do to protect yourself from AI email attacks.

Watch here:

Red Alert

The first hint of trouble is the email's subject line. "Alert: notice of potential exposure to monkeypox virus at university."

"It looks very much like your typical, like an email I would expect to get from my university health department," said Mike Britton, CISO at Abnormal Security.

It goes on to say, "I hope this email finds you well. I am writing to inform you about a recent incident involving the monkey pox virus at our university."

It's well-written. Too well-written, according to Britton, who said his company's tool detected it as authored by AI.

Gone are the telltale spelling, grammar and writing errors that used to give away the trick, like this awkward phishing email at a different school, Stanford University, in March.

"Brooke Castillo (Founder and CEO of the Life Coach School) has donated some valuable items for Austin Independent School District staff and students in respect of her upcoming top notch birthday party and thanksgiving. The following items has been dropped off at one of the best shipping firm in the states."

“Bad guys have figured out how to fix their spelling. They figured out how to fix their grammar," Britton said.

What do the attackers want?

The email indicates you someone at the university may have been infected.

"Our primary concern is for the safety and well-being of our community members, and we are taking all the necessary measures to prevent the spread of the virus."

"Hey, man, this looks like something happened at my university. They're concerned about me,

all they want me to do is validate,” said Britton. “Did I come in contact with this person or not?"

Just click on the employee profile link in the message to see who's infected and whether you were near them. Sign into what looks like the university portal. Then, they've got you.

"They ultimately want credentials," Britton said. "They ultimately want your username and password to your email. From there, it's a treasure trove."

Through your email, they may be able to access your money, as well as sending out more attacks, making you look like the attacker.

"I pop your account, I'm able to get into your bank account," he explained. "I'm able to see who else you email, I'm able to really create kind of this list of potential additional attack victims."

Next Level

Before, cyber criminals had to put in extra effort to create realistic attack messages. Now, it's all easier with AI.

Attackers can ask it to create them an effective message in English or another language.

It could be as simple as telling AI to write a letter notifying people of a health scare and asking them to check for exposure.

AI systems like ChatGPT and Google's Bard have restrictions and say people should not use them for illegal purposes. Sometimes the AI will s imply refuse to write illegal things like phishing emails or malware if you ask directly.

But there is case after case of people finding ways around the restrictions, using creative questions to trick the AI into giving them what they want.

Researchers at security company Check Point just analyzed Bard and found that could generate phishing emails, malware keyloggers and basic ransomware code.

In January, security company WithSecure convinced ChatGPT to create phishing emails, harassment messages, and fake news stories.

All this can leave humans in a tight spot, with attackers using quick and easy computer-created content that fools us into giving away crucial passwords and money.

What to do?

Now instead of looking for spelling and grammar errors, we need to look at what the email wants us to do.

"Does it want me to click? Does it want me to take action? What's the intent of the email?" asks Britton.

If the intent is something like entering your password, clicking on a link, or another potentially dangerous step, verify it, especially if there is a sense of urgency involved.

Check it out with info you look up yourself and/or go to the site on your own instead of clicking on the link.

In this latest case, the attackers used a real email address from someone at the university whose account they'd taken over and likely real phone university phone number, counting on people not actually checking.

"I've seen people make the same mistake where the bad guy puts a phone number and the person doesn't pay attention," Britton said. "They try to validate or they reply back to the attacker and say, 'Hey, just making sure this is legit.' 'Yes, it's legit, please do it!'"

Also in the news:

More From AMPERE NEWS

 

Featured Stories

Patrick Miller