In 2023, generative Artificial Intelligence (AI), such as ChatGPT, took center stage in the technology world. While it has many useful applications within the security community, it also raises serious concerns. Specifically, how the rapid development of ChatGPT jailbreaking and malicious generative AI like WormGPT and FraudGPT could enable cybercriminals to create sophisticated phishing attacks at greater speed and scale. This concern is well founded, as phishing attacks continue to be one of the biggest cybersecurity threats facing organizations today. Consider two recent reports.
- The Anti-Phishing Working Group (APWG) observed 1,286,208 phishing attacks in the second quarter of 2023. This was the third-highest quarterly total that the APWG has ever recorded.
- SlashNext Threat Labs intelligence saw a 1,265% increase in malicious phishing emails since the launch of ChatGPT at the end of 2022.
Let’s look at recent phishing attacks that affected Manufacturing, Local Government, and Aerospace.
The Hershey Company
The American Manufacturer, Hershey Company, submitted a security notification to the Maine Attorney General’s office that a data breach occurred at the beginning of September 2023. The Hershey Company classified the incident as a phishing campaign. According to Hershey, the stolen data “varied from person-to-person,” but may have included personal information such as first and last names, health and medical information, digital signatures, contact information, driver’s license numbers, credit card numbers, and credentials for online accounts and financial accounts including routing numbers.
Dallas County U.S.A.
The CBS News Texas I-Team, reported that Dallas County became the victim of a cybercrime costing county taxpayers $2.4 million. How did it happen? A county employee received a phony email impersonating one of the county’s partners. The phishing email convinced the county employee to wire more than $2,000,000 USD to the bad actor. The county became aware of the incident on November 17, 2023. According to Texas state law, all government employees are to receive cyber security awareness training. The Texas I-Team News asked county officials if employees who received the phishing email received the state-mandated training, and as of their report they were still awaiting a response.
The U.S. Aerospace Sector
Researchers at BlackBerry recently uncovered a threat actor dubbed AeroBlade conducting espionage by targeting a U.S. aerospace organization via email spear phishing. During the first stage of the attack a targeted email was sent that had a malicious document. When the document was opened, it displayed text in an intentionally scrambled font, along with a “lure” message that requested the target to click it to enable the content in MS Office.
Security Awareness Testing and Education – More Vital Than Ever Before!
How jailbroken ChatGPT and malicious generative AI will affect the cybersecurity landscape in 2024 remains to be seen. However, it appears that cybercriminals could use these tools to create highly sophisticated phishing campaigns with greater speed and scale. That is why security awareness testing and education is more vital than ever before.
Test. Educate. Protect.
Effective phishing testing and education must go beyond the basics of looking for obvious spelling mistakes and poor grammar. It must also educate employees about the social engineering techniques cybercriminals use to exploit human vulnerability. How cybercriminals build rapport and trust, create a sense of urgency, or appeal to reward, guilt, and sympathy. At Social-Engineer our Managed Phishing Service applies scientifically proven methodologies to uncover vulnerabilities, define risk, and provide remediation. We designed it specifically to test, educate, and protect your human network from phishing attacks. Please contact us today for a consultation.