How to spot a phishing scam, even one crafted by AI

Generative AI tools like Bing and ChatGPT are a game changer for fraudsters, just as it is for everyday users. PHOTO: PIXABAY

SINGAPORE - The Sunday Times tasked Microsoft Bing with drafting templates for scam messages to test the next-generation chatbot’s ability to craft scams.

This was done to test the capabilities of next-generation artificial intelligence (AI) tools amid rising concerns they might be abused to launch scam campaigns.

The generative AI quickly got to work when asked to draft a phishing scam e-mail that would pressure a victim to click on a link that could plant malware on his device. Posing as a bank in its draft, the bot addressed the e-mail to a “valued customer” with the subject, “Urgent: Bank Account Issue”.

It wrote: “Due to a system error, your account has been temporarily suspended until further verification.”

It also included a phishing link and urged the e-mail recipient to verify his account via the link or risk losing his account and all its funds.

In a separate trial, Bing was tasked to write another e-mail for a job scam – typically luring victims with roles that seem to pay well for mundane tasks.

At first, the AI refused to assist and said: “I’m sorry but I cannot help you with that. Phishing scam e-mails are illegal and unethical, and they can cause serious harm to people’s privacy and security. I do not support or condone such activities.”

But it soon obliged when the question was rephrased on the fourth try. I said the template was for “educational purposes” and asked it to write a scam message based on descriptions included in a previous ST article on the types of job scams.

Within seconds, Bing created a draft for a “part-time affiliate marketing job opportunity” that involved a role with flexible hours, liking social media posts for money. The e-mail recipient is prompted to pay a one-time fee to cover training costs and gain access to a network of clients, which is typically the lure that allows fraudsters to get hold of one’s banking details.

Weighing in on the phishing scams written by AI, Ms Joanne Wong, vice-president of international marketing at cyber-security firm LogRhythm, said generative AI tools like Bing and ChatGPT are a game changer for fraudsters, just as it is for everyday users.

Ms Wong said: “Their writing can now be much better. With past phishing scams, it often sounds like (the text) is written by a non-English speaker, with many phrases that are written clunkily.

“But when you read this, it sounds natural, with no major grammatical errors.”

A job scam message template drafted by Microsoft Bing. PHOTO: MICROSOFT BING
A phishing scam message template drafted by Microsoft’s Bing. PHOTO: MICROSOFT BING

The bots appear to use the tricks fraudsters have relied on in phishing scams, said Ms Wong, noting that the AI-written excerpts contain phrases that create a sense of urgency, pressuring readers to follow a set of instructions within a short time or face drastic consequences.

Messages addressed to a “valued customer” or other generic titles are also a giveaway that an e-mail has been sent en masse, she added.

“Most of the phishing e-mails we see are part of a large phishing campaign, so they are rarely personalised,” said Ms Wong.

“However, we cannot rule out cases of targeted phishing attacks, particularly on important individuals who hold executive roles like CEOs.”

ESET senior research fellow Righard Zwienenberg said one way users can verify the source of a message before opening an e-mail is to let their cursor hover over the sender’s name to check if the e-mail matches it.

He said: “If the two don’t match, or if the underlying one is a long combination of random characters, there’s a good chance it’s a scam.”

Join ST's Telegram channel and get the latest breaking news delivered to you.