<p>Phishing emails represent one of the most pervasive cybersecurity threats, exploiting social engineering to victimise unsuspecting individuals. The emergence of generative artificial intelligence (AI) tools like GPT has fundamentally transformed both offensive and defensive approaches to phishing attacks. This study examines the capability of AI language models to generate convincing phishing emails by fine-tuning a GPT-2.0 model on a curated phishing dataset. We evaluated the model’s effectiveness through a comprehensive survey of 219 digitally literate university students who assessed a mixed collection of legitimate, human-crafted, and AI-generated phishing messages. We also performed a textual analysis on how the participants differentiated between genuine and phishing emails. Our findings demonstrated a critical security gap: approximately 12.5% of AI-generated emails bypassed detection, almost double that of human-created ones (~ 6.2%), indicating that AI substantially enhances the likelihood of malicious content evading detection. AI phishing closely resembled authentic communications, displaying superior narrative structure and grammatical accuracy, thereby increasing their credibility and making them harder to detect. Statistical analysis using paired t-tests demonstrated that participants were significantly better at detecting human-generated phishing compared to AI-generated variants, with legitimate email detection performing best overall. Textual analysis revealed that participants relied on traditional indicators such as grammatical errors, urgency cues, and generic greetings to identify phishing attempts. However, time spent online showed no correlation with detection ability, contradicting assumptions about digital experience enhancing security awareness. Our study highlights how generative AI can be exploited for offensive security, such as through automated social engineering attacks, lowering the barrier to entry for adversaries by automating the crafting of convincing messages. While it aims to educate, similar techniques could be misused. It is important to establish ethical guidelines and detection mechanisms alongside any research into offensive capabilities. Traditional phishing detectors (such as regex, keyword-based) may be insufficient against AI-generated content.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Establishing AI Threat Baselines: An Experimental Assessment of GPT-2.0 as a Phishing Attack Vector Among Digitally Literate University Students

  • Rashmika Kagathara,
  • Pradeep Kumar Suri,
  • Rajan Yadav

摘要

Phishing emails represent one of the most pervasive cybersecurity threats, exploiting social engineering to victimise unsuspecting individuals. The emergence of generative artificial intelligence (AI) tools like GPT has fundamentally transformed both offensive and defensive approaches to phishing attacks. This study examines the capability of AI language models to generate convincing phishing emails by fine-tuning a GPT-2.0 model on a curated phishing dataset. We evaluated the model’s effectiveness through a comprehensive survey of 219 digitally literate university students who assessed a mixed collection of legitimate, human-crafted, and AI-generated phishing messages. We also performed a textual analysis on how the participants differentiated between genuine and phishing emails. Our findings demonstrated a critical security gap: approximately 12.5% of AI-generated emails bypassed detection, almost double that of human-created ones (~ 6.2%), indicating that AI substantially enhances the likelihood of malicious content evading detection. AI phishing closely resembled authentic communications, displaying superior narrative structure and grammatical accuracy, thereby increasing their credibility and making them harder to detect. Statistical analysis using paired t-tests demonstrated that participants were significantly better at detecting human-generated phishing compared to AI-generated variants, with legitimate email detection performing best overall. Textual analysis revealed that participants relied on traditional indicators such as grammatical errors, urgency cues, and generic greetings to identify phishing attempts. However, time spent online showed no correlation with detection ability, contradicting assumptions about digital experience enhancing security awareness. Our study highlights how generative AI can be exploited for offensive security, such as through automated social engineering attacks, lowering the barrier to entry for adversaries by automating the crafting of convincing messages. While it aims to educate, similar techniques could be misused. It is important to establish ethical guidelines and detection mechanisms alongside any research into offensive capabilities. Traditional phishing detectors (such as regex, keyword-based) may be insufficient against AI-generated content.