ChatGPT, my thoughts, and phishing emails

Posted byMargaux Posted on8 February 2023 Comments0

Okay, Today, I’m on a roll, an article roll. Can’t and won’t stop.

Ladies and gentlemen… The second article of the day!

First, I’ll share my thoughts on ChatGPT (even though you did not really ask for it). Then, we’ll delve a little deeper into ChatGPT and its implication for phishing emails.

ChatGPT & intelligence

Last week, I was telling a friend about how awesome ChatGPT is, but I had some reservations. To me, intelligence is not knowing something. Don’t get me wrong, knowing something is pretty cool and shows curiosity, which is equally important to intelligence, but intelligence is more about the process of thoughts and how you go from A to Z by raising new questions.

If you want to know what should be included in a security standard, you need to know a little bit about security and what a standard is, and depending on the specific topic of our standard, you need some knowledge to actually have a good request for Google and get the results you want. What I’m trying to say is that there is some thoughts behind each request.

There is no need for that with ChatGPT; simply ask it to write a security standard for you, and it will do so. There is no need to have any prior knowledge (though it is preferable to have some to check if it is correct), but what I am attempting to explain is that the reasoning behind a request is reduced.

Let’s be more visual and imagine three funnels:

  • first one, representing circuit of thoughts when you have no access to browsers so basically with books
  • second one, representing circuit of thoughts when you have access to browsers
  • last one, representing circuit of thoughts when you have access to ChatGPT

What you can see in my drawing (please don’t laugh) is that new technologies make the funnel—the circuit of thoughts—smaller and smaller. I’m not saying it’s good or bad; I’m simply stating my opinion. I also don’t say it applies to everyone because some people will still have a lot of follow-up questions. But what I see is that if ChatGPT gives you a result that sounds pretty correct and you aren’t particularly interested in the topic, you will just go for the easy way and accept the result instead of pushing the thoughts further and dive deeper into the topic. In the other funnels you would have been pushed to do so, because the results wouldn’t be as accurate with a simple request.

Anyway, that was my take on ChatGPT; I really like it, but are we skipping some stage in the thought process, which is fine in its own right, but is it really okay for young kids who are still developing their ability to think and argue?

ChatGPT & Phishing Emails

On a different note, I was talking with a colleague this morning who gave me the idea for this article (thanks Marylin) and I told her that I asked ChatGPT to generate a phishing email and that it said it couldn’t because it infringed ethical considerations. Okay, great, but that did not stop me from asking the same question without the word “phishing,” and the email appeared, ready to be used. Take a look at the screenshot below.

From there two things:

  • ChatGPT did not consider my previous request and, if it did, did not connect the dots. It should have realized that I still wanted to write the phishing email.
  • There are no spelling mistakes in the email. Which begs the question, why does it matter? Easy answer: one of the many ways to detect phishing is through spelling and grammar errors. If there are many of these in an “important” email, high chance it is phishing.

When you start looking at ChatGPT and ask it to write these kinds of emails, it’s significantly better than real humans, or at least the humans who are writing them.
My main concern is how people who are attacking us might exploit the social aspect of ChatGPT. The only way we can detect them right now is that they are not a professional business. ChatGPT makes it very simple for them to impersonate a legitimate business without even having to learn any of the language skills or other skills required to write a well-crafted attack.

What this really means from a human point of view is that we need to change our expectations and approach to what we think humans will do. We cannot rely on pre-ChatGPT practice to determine whether or not an email is phishing. We will continue to be duped. Technology is so advanced that it is difficult for humans to keep up.

So, what can we do to assist users in recognizing phishing emails when the usual indicators are no longer visible?
So far, the thing I’ve discovered is a research group called Hugging Face which has created a model that detects text generated by ChatGPT with high accuracy.

Finally, if an email is from someone outside your organization but asks you to click on a link to fill out some work or university information, it is most likely phishing, so don’t click 😉

Category

Leave a Comment