Study: AI-generated phishing emails almost as effective as humans

Phishing emails written by humans trick users into clicking malicious links at a greater rate than emails written by artificial intelligence, but not by much, according to new research by IBM. In an essay for Security Intelligence, Stephanie Carruthers, chief people hacker for IBM X-Force Red, said her team recently created fake phishing emails by writing emails themselves and by using ChatGPT. The human-created emails took about 16 hours to create, but ChatGPT was able to craft convincing emails in about five minutes, she said.

The human-created and ChatGPT-created phishing emails were sent out to roughly 1,600 people at a healthcare organization as part of a test. The human-created emails had a click rate of 14% while the ChatGPT emails had an 11% click rate. Employees also reported ChatGPT emails as phishing at a higher rate than emails written by humans, 59% versus 52% respectively.

“Humans understand emotions in ways that AI can only dream of,” Carruthers said, explaining the results. “We can weave narratives that tug at the heartstrings and sound more realistic, making recipients more likely to click on a malicious link.” She also said that humans were able to make emails more personal—for example, by including a person’s name—and write more succinct subject lines. Still, the results were close, she noted. “As technology advances, we can only expect AI to become more sophisticated and potentially even outperform humans one day.”