One in five people click on AI-generated phishing emails, SoSafe data reveals

• Research from SoSafe reveals AI-generated cyberattacks are highly successful, with nearly 80% of humans opening AI-written phishing emails 
• Generative AI tools can speed up phishing attacks by at least 40%, creating an even greater danger due to high scalability 
   

Cologne, Germany, April 24, 2023 – Cybersecurity experts from SoSafe, Europe’s leading provider of security awareness and training, have long warned of the possibility that generative AI could write better phishing emails than humans can. Initial research* by SoSafe shows that this threat warning is justified: The data* revealed that AI-written phishing emails were opened by 78% of humans, with 21% going on to click on malicious content within (such as links or attachments).  

What’s more, 65% of humans were tricked into revealing personal information in input fields on the linked websites by AI-generated emails. The data demonstrates that humans cannot distinguish AI-generated phishing emails from manually captured phishing attacks.  

Compared to AI-generated phishing attacks, human-generated phishing emails got slightly more clicks in the conducted study (27%), while open rates have been the same both for AI and human-generated phishing mails. Interaction rates have even been higher for the AI-generated emails as only 60% revealed additional data in human-generated cyberattacks. 

Dr. Niklas Hellemann, CEO and Co-Founder of SoSafe, said: “What is remarkable is that our study was conducted based on the Chat GPT-3.5 model, with general themes and topics. Even with these basic AI-generated phishing templates, our data shows that people have difficulties recognising AI-generated phishing attacks. As the technology advanced with more sophisticated models like Chat GPT-4 as well as scaled personalization, we expect attacks to become even more dangerous – because the greatest danger lies in the scaling potential.” 

Generative AI tools speed up phishing attacks by at least 40% 

Research from SoSafe’s social engineering team shows that generative AI tools can help hacker groups compose phishing emails at least 40% faster, meaning that even with simple AI-generated phishing attacks, cybercriminals can significantly increase their success rates. 

The barrier to entry is also lowered for carrying out spear-phishing on a large scale using the preferences and habits of specific targets to create tailored attacks due to AI’s enablement of scalable, personalised phishing attacks. AI tools can be fed personalised information that helps maintain the quality of spear-phishing attacks – even when the number of attack targets is high.  

Generative AI tools also help cybercriminals come up with creative new ideas – for example, hackers can send bigger volumes of high-quality phishing emails across multiple languages much faster than before. Large-scale phishing attacks are therefore becoming more efficient – and more effective.   

Dr Niklas Hellemann said: “With the emergence of AI-powered ‘large language models’ and the resulting massive increase in scaling potential, the cyber threat landscape continues to intensify. First studies have shown that AI can already write better phishing emails than humans, and our data highlights the consequences, with one in five people are already falling for AI-created phishing attacks.” 

“And that’s just the beginning: as technology continues to evolve, cybercriminals will have access to even more options. We’ve already seen the jump from ChatGPT-3 to ChatGPT-4, which has taken scaling personalization to a new level. We are currently running initial tests based on those advanced technologies and expect additional results soon. It’s essential for organisations to keep pace with this evolution and help raise their employees’ awareness of cyber threats, the impact of new technologies to detect, as well as spotting and reporting attacks.” 

 
*Response data from the SoSafe Awareness Platform which anonymously evaluated approximately 1,500 simulated phishing attacks in March 2023 and analysed the probability of success of AI-generated phishing templates (n= 747) compared to human-generated phishing templates (n=746). The AI-generated phishing templates have been built with the help of the Chat GPT-3.5 model without any personalized elements. SoSafe is currently working on further research leveraging advanced technologies like Chat GPT-4. Open rate is the average percentage of emails opened based on emails delivered. Click rate is the average percentage of how many delivered emails had content, such as links or attachments, clicked on. The interaction rate describes the proportion of people who disclosed further information (e.g. passwords) in input fields on a linked website.