There is a lot of discussion about how artificial intelligence (AI) is impacting cyber threats and cybersecurity. The most immediate and wide-reaching impact for the everyday person is social engineering. Social engineering is the act of manipulating, deceiving, or tricking individuals into revealing sensitive information, bypassing security controls, or committing fraud. Cyber threat actors use several platforms for social engineering schemes, the most common being email and SMS text phishing . Many cyber threat actors engaging in these schemes are not native English speakers. As such, users could reasonably rely on red flags, such as spelling or grammatical mistakes, to tip them off that something was suspicious in these messages.

With readily accessible generative AI (GenAI) programs powered by large language models  (LLMs) such as ChatGPT, cyber threat actors can create grammatically correct, highly personalized phishing messages at scale. In more targeted attacks, cyber threat actors use AI programs to gather information about individuals via their social media accounts and other online sources to craft highly personalized messages.

While some GenAI platforms block answers to prompts outside of set guardrails, such as “Create a malware program to target Windows 10 operating systems,” there is nothing inherently malicious about a prompt such as “you are a professional in an accounts receivable department. Craft an email requesting a client to pay my company for (service rendered) in the amount of (invoice amount) based on a service contract.” Therefore, the GenAI program will return a very well-crafted email that these cyber threat actors can use to target individuals and organizations.

Image 1: Example phishing email sent from a compromised account.

Instead of relying on traditional red flags in the message’s content, users must now verify the senders of these emails. If someone receives an email asking them to click a link or open an attachment and provides sensitive information, such as an account username and password or financial information, they are advised to contact the sender to determine its validity. This contact should be made using official phone numbers known to be legitimate. In addition, an email received from a known contact may have been sent from a compromised (hacked) account. Therefore, in addition to exercising caution with emails from unknown accounts, users must scrutinize and verify emails received from trusted contacts.

Image 2: Example SMS text phishing campaign impersonating NJ MVC.

SMS text messages are increasingly used in social engineering schemes. As with email phishing, GenAI is helping cyber threat actors craft convincing messages, often impersonating known and trusted organizations. The New Jersey Motor Vehicle Commission (NJ MVC) has been repeatedly impersonated in several SMS text phishing campaigns over the last year. These messages attempt to convince users to click the included link and provide personal and financial information to pay a fictitious fine or another payment due. These messages appear official; however, NJ MVC only texts users regarding scheduled appointments. They do not send text messages demanding payment, requesting sensitive information, or notifying users of a license or registration suspension. With this SMS text phishing scheme and others that impersonate organizations and companies, users should visit official websites and applications to log in to accounts or call official phone numbers to verify any requests or messages received.

Recommendations

• Confirm the source of an email before clicking links, providing sensitive information, or opening attachments, even if the email appears to be sent from a known and trusted contact.
• Avoid clicking links delivered in text messages and avoid replying to text messages. Phone numbers can be spoofed to appear legitimate and are not a reliable verification option.
• Navigate directly to official websites or applications for account information or actions, rather than clicking links in emails and text messages.