- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Humans Still More Effective Than ChatGPT at Phishing
Human social engineers have been observed to perform better than artificial intelligence programs (AI) when trying to induce potential victims to click on malicious links.
The claims come from a new research paper by HoxHunt, which analyzed 53,127 emails sent to users in over 100 countries according to its phishing training workflow.
The study, authored by HoxHunt co-founder and CTO, Pyry Avist, suggests that professional red teamers managed to induce a 4.2% click rate compared to the 2.9% achieved by ChatGPT, outperforming the AI by 44.8%.
“Interestingly, there is some geographical variance between user failure rates on human vs. AI-originated phishing simulations,” Avist wrote. “The greatest delta between the effectiveness of human vs. AI-generated phishing attacks was among the Swedish population. AI was most effective against US respondents.”
HoxHunt clarified the experiment was performed before the release of ChatGPT 4, which is set to bring substantial improvements to the model.
“Large language models like ChatGPT will likely rapidly evolve and improve at tricking people into clicking,” reads the study.
Read more on ChatGPT-generated threats here: ChatGPT Creates Polymorphic Malware
At the same time, Avist added that current human risk controls should remain relevant even as AI-augmented phishing tools evolve.
“The more time people spend in training, the less likely they’ll fall for an attack, human or AI. You don’t need to reconfigure your security training to address the potential misuse of ChatGPT.”
Potential measures to improve protection against such attacks include updating awareness training programs to inform employees about the emerging technologies and trends in phishing tactics, according to Tanium’s director of endpoint security research, Melissa Bischoping.
“While the recipient of a phish is often the first line of defense, it’s important that you’re also investing in layers of defense like email, DNS, network and endpoint security monitoring and response capabilities.”
The HoxHunt study comes weeks after a BlackBerry survey showed the majority of security leaders across North America, the UK and Australia expect ChatGPT to be at the heart of a successful cyber-attack by the end of the year.
