Human social engineers have been observed to perform better than artificial intelligence programs (AI) in trying to entice potential victims to click on malicious links.
The claim is based on HoxHunt’s new research paper, which analyzed 53,127 emails sent to users in over 100 countries following a phishing training workflow.
Authored by Pyry Avist, co-founder and CTO of HoxHunt, the study found that professional red teams induced a 4.2% click-through rate compared to the 2.9% achieved with ChatGPT, outperforming AI by 44.8%. suggesting.
“Interestingly, there are geographic differences in user failure rates between human and AI phishing simulations,” wrote Avist. “The difference in effectiveness between human and AI phishing attacks was greatest in the Swedish population. AI was most effective against respondents in the United States.”
HoxHunt revealed that the experiment was conducted prior to the release of ChatGPT 4, which is set to bring significant improvements to the model.
“Large-scale language models like ChatGPT can rapidly evolve and improve how to trick people into clicking,” said the study.
You can read more about the threats ChatGPT generates here: ChatGPT creates polymorphic malware
At the same time, Avist added that even as AI-enhanced phishing tools evolve, current human risk management must remain relevant.
“The more time people spend training, the less likely they are to fall for human or AI attacks. There is no need to reconfigure security training to address potential misuse of ChatGPT.”
According to Melissa Bishopping, director of endpoint security research at Tanium, potential measures to better protect against such attacks include raising awareness among employees to inform them about new technologies and trends in phishing tactics. Includes updates to the improvement training program.
“Phishing recipients are often the first line of defense, but it’s important to invest in layers of defense as well, including email, DNS, network, and endpoint security monitoring and response capabilities.”
The HoxHunt survey comes just weeks after a BlackBerry survey in which a majority of security leaders in North America, the UK and Australia expect ChatGPT to be at the center of successful cyberattacks by the end of the year.
