Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
104 tokens/sec
GPT-4o
12 tokens/sec
Gemini 2.5 Pro Pro
40 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Lateral Phishing With Large Language Models: A Large Organization Comparative Study (2401.09727v2)

Published 18 Jan 2024 in cs.CR and cs.CL

Abstract: The emergence of LLMs has heightened the threat of phishing emails by enabling the generation of highly targeted, personalized, and automated attacks. Traditionally, many phishing emails have been characterized by typos, errors, and poor language. These errors can be mitigated by LLMs, potentially lowering the barrier for attackers. Despite this, there is a lack of large-scale studies comparing the effectiveness of LLM-generated lateral phishing emails to those crafted by humans. Current literature does not adequately address the comparative effectiveness of LLM and human-generated lateral phishing emails in a real-world, large-scale organizational setting, especially considering the potential for LLMs to generate more convincing and error-free phishing content. To address this gap, we conducted a pioneering study within a large university, targeting its workforce of approximately 9,000 individuals including faculty, staff, administrators, and student workers. Our results indicate that LLM-generated lateral phishing emails are as effective as those written by communications professionals, emphasizing the critical threat posed by LLMs in leading phishing campaigns. We break down the results of the overall phishing experiment, comparing vulnerability between departments and job roles. Furthermore, to gather qualitative data, we administered a detailed questionnaire, revealing insights into the reasons and motivations behind vulnerable employee's actions. This study contributes to the understanding of cyber security threats in educational institutions and provides a comprehensive comparison of LLM and human-generated phishing emails' effectiveness, considering the potential for LLMs to generate more convincing content. The findings highlight the need for enhanced user education and system defenses to mitigate the growing threat of AI-powered phishing attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. S. Gupta, A. Singhal, and A. Kapoor, “A literature survey on social engineering attacks: Phishing attack,” in 2016 international conference on computing, communication and automation (ICCCA).   IEEE, 2016, pp. 537–540.
  2. H. Aldawood and G. Skinner, “An academic review of current industrial and commercial cyber security social engineering solutions,” in Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, 2019, pp. 110–115.
  3. H. Aldawood and G. Skinner, “Educating and raising awareness on cyber security social engineering: A literature review,” in 2018 IEEE international conference on teaching, assessment, and learning for engineering (TALE).   IEEE, 2018, pp. 62–68.
  4. A. Das, S. Baki, A. El Aassal, R. Verma, and A. Dunbar, “Sok: a comprehensive reexamination of phishing research from the security perspective,” IEEE Communications Surveys & Tutorials, vol. 22, no. 1, pp. 671–708, 2019.
  5. Z. ThreatLabz, “Zscaler threatlabz 2023 phishing report,” 2023.
  6. A. Bhadane and S. B. Mane, “Detecting lateral spear phishing attacks in organisations,” IET Information Security, vol. 13, no. 2, pp. 133–140, 2019.
  7. H. Touvron, L. Martin, K. Stone, P. Albert, A. Almahairi, Y. Babaei, N. Bashlykov, S. Batra, P. Bhargava, S. Bhosale et al., “Llama 2: Open foundation and fine-tuned chat models,” arXiv preprint arXiv:2307.09288, 2023.
  8. Z. Zhao, S. Song, B. Duah, J. Macbeth, S. Carter, M. P. Van, N. S. Bravo, M. Klenk, K. Sick, and A. L. Filipowicz, “More human than human: Llm-generated narratives outperform human-llm interleaved narratives,” in Proceedings of the 15th Conference on Creativity and Cognition, 2023, pp. 368–370.
  9. S. Herbold, A. Hautli-Janisz, U. Heuer, Z. Kikteva, and A. Trautsch, “A large-scale comparison of human-written versus chatgpt-generated essays,” Scientific Reports, vol. 13, no. 1, p. 18617, 2023.
  10. B. Bloomberg, “Cisco sees ai software making phishing attacks harder to resist,” https://www.bnnbloomberg.ca/cisco-sees-ai-software-making-phishing-attacks-harder-to-resist-1.1911618, 2023, accessed: December 4, 2023.
  11. Darktrace, “A ciso’s guide to email security,” accessed: December 4, 2023.
  12. J. Wang, T. Herath, R. Chen, A. Vishwanath, and H. R. Rao, “Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email,” IEEE transactions on professional communication, vol. 55, no. 4, pp. 345–362, 2012.
  13. G. Ho, A. Cidon, L. Gavish, M. Schweighauser, V. Paxson, S. Savage, G. M. Voelker, and D. Wagner, “Detecting and characterizing lateral phishing at scale,” in 28th USENIX Security Symposium (USENIX Security 19), 2019, pp. 1273–1290.
  14. D. Lain, K. Kostiainen, and S. Čapkun, “Phishing in organizations: Findings from a large-scale and long-term study,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 842–859.
  15. A. Oest, P. Zhang, B. Wardman, E. Nunes, J. Burgis, A. Zand, K. Thomas, A. Doupé, and G.-J. Ahn, “Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale,” in 29th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 20), 2020.
  16. A. Almomani, B. B. Gupta, S. Atawneh, A. Meulenberg, and E. Almomani, “A survey of phishing email filtering techniques,” IEEE communications surveys & tutorials, vol. 15, no. 4, pp. 2070–2090, 2013.
  17. R. Alabdan, “Phishing attacks survey: Types, vectors, and technical approaches,” Future internet, vol. 12, no. 10, p. 168, 2020.
  18. R. M. Mohammad, F. Thabtah, and L. McCluskey, “Intelligent rule-based phishing websites classification,” IET Information Security, vol. 8, no. 3, pp. 153–160, 2014.
  19. S. Purkait, “Phishing counter measures and their effectiveness–literature review,” Information Management & Computer Security, vol. 20, no. 5, pp. 382–420, 2012.
  20. N. Ayoobi, S. Shahriar, and A. Mukherjee, “The looming threat of fake and llm-generated linkedin profiles: Challenges and opportunities for detection and prevention,” in Proceedings of the 34th ACM Conference on Hypertext and Social Media, 2023, pp. 1–10.
  21. K. Thomas, F. Li, A. Zand, J. Barrett, J. Ranieri, L. Invernizzi, Y. Markov, O. Comanescu, V. Eranti, A. Moscicki et al., “Data breaches, phishing, or malware? understanding the risks of stolen credentials,” in Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, 2017, pp. 1421–1434.
  22. M. Bossetta, “The weaponization of social media: Spear phishing and cyberattacks on democracy,” Journal of international affairs, vol. 71, no. 1.5, pp. 97–106, 2018.
  23. M. Silic and A. Back, “The dark side of social networking sites: Understanding phishing risks,” Computers in Human Behavior, vol. 60, pp. 35–43, 2016.
  24. D. Hillman, Y. Harel, and E. Toch, “Evaluating organizational phishing awareness training on an enterprise scale,” Computers & Security, p. 103364, 2023.
  25. E. Derner, K. Batistič, J. Zahálka, and R. Babuška, “A security risk taxonomy for large language models,” arXiv preprint arXiv:2311.11415, 2023.
  26. B. Reinheimer, L. Aldag, P. Mayer, M. Mossano, R. Duezguen, B. Lofthouse, T. Von Landesberger, and M. Volkamer, “An investigation of phishing awareness and education over time: When and how to best remind users,” in Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020), 2020, pp. 259–284.
  27. M. Steves, K. Greene, and M. Theofanos, “Categorizing human phishing difficulty: a phish scale,” Journal of Cybersecurity, vol. 6, no. 1, p. tyaa009, 2020.
  28. B. Sabir, F. Ullah, M. A. Babar, and R. Gaire, “Machine learning for detecting data exfiltration: A review,” ACM Computing Surveys (CSUR), vol. 54, no. 3, pp. 1–47, 2021.
  29. F. Ullah, M. Edwards, R. Ramdhany, R. Chitchyan, M. A. Babar, and A. Rashid, “Data exfiltration: A review of external attack vectors and countermeasures,” Journal of Network and Computer Applications, vol. 101, pp. 18–54, 2018.
  30. B. Tejaswi, N. Samarasinghe, S. Pourali, M. Mannan, and A. Youssef, “Leaky kits: The increased risk of data exposure from phishing kits,” in 2022 APWG Symposium on Electronic Crime Research (eCrime).   IEEE, 2022, pp. 1–13.
  31. S. Chakraborty, “Phishing email detection,” 2023. [Online]. Available: https://www.kaggle.com/dsv/6090437
  32. “Vicuña 13b v1.5-16k,” Hugging Face Model Hub, 2023, available from: https://huggingface.co/lmsys/vicuna-13b-v1.5-16k [Accessed: 1st December 2023].
  33. L. Zheng, W.-L. Chiang, Y. Sheng, S. Zhuang, Z. Wu, Y. Zhuang, Z. Lin, Z. Li, D. Li, E. Xing et al., “Judging llm-as-a-judge with mt-bench and chatbot arena,” arXiv preprint arXiv:2306.05685, 2023.
  34. S. Zhang, L. Dong, X. Li, S. Zhang, X. Sun, S. Wang, J. Li, R. Hu, T. Zhang, F. Wu et al., “Instruction tuning for large language models: A survey,” arXiv preprint arXiv:2308.10792, 2023.
  35. J. Pu, Z. Sarwar, S. M. Abdullah, A. Rehman, Y. Kim, P. Bhattacharya, M. Javed, and B. Viswanath, “Deepfake text detection: Limitations and opportunities,” in 2023 IEEE Symposium on Security and Privacy (SP).   IEEE, 2023, pp. 1613–1630.
  36. A. Gokaslan and V. Cohen, “Openwebtext corpus,” http://Skylion007.github.io/OpenWebTextCorpus, 2019.
  37. R. Zellers, A. Holtzman, H. Rashkin, Y. Bisk, A. Farhadi, F. Roesner, and Y. Choi, “Defending against neural fake news,” Advances in neural information processing systems, vol. 32, 2019.
  38. “google/flan-t5-xl,” https://huggingface.co/google/flan-t5-xl, 2023.
  39. S. Yadav, B. Bohra et al., “A review on recent phishing attacks in internet,” in 2015 International Conference on Green Computing and Internet of Things (ICGCIoT).   IEEE, 2015, pp. 1312–1315.
  40. D. Pienta, J. B. Thatcher, and A. Johnston, “Protecting a whale in a sea of phish,” Journal of information technology, vol. 35, no. 3, pp. 214–231, 2020.
  41. A. Gusev, “Domestic private banking solutions can be quite successful as an effective protection against whaling-style cyber attacks which are used as a basis for more complex targeted phishing,” Procedia Computer Science, vol. 213, pp. 391–399, 2022.
  42. B. Bowman, C. Laprade, Y. Ji, and H. H. Huang, “Detecting lateral movement in enterprise computer networks with unsupervised graph {{\{{AI}}\}},” in 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), 2020, pp. 257–268.
  43. L. Nelson, R. Nairn, E. H. Chi, and G. Convertino, “Mail2tag: Augmenting email for sharing with implicit tag-based categorization,” in 2011 International Conference on Collaboration Technologies and Systems (CTS).   IEEE, 2011, pp. 23–30.
  44. Y. Koren, E. Liberty, Y. Maarek, and R. Sandler, “Automatically tagging email by leveraging other users’ folders,” in Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining, 2011, pp. 913–921.
  45. H. Shahbaznezhad, F. Kolini, and M. Rashidirad, “Employees’ behavior in phishing attacks: what individual, organizational, and technological factors matter?” Journal of Computer Information Systems, vol. 61, no. 6, pp. 539–550, 2021.
  46. M. Khonji, Y. Iraqi, and A. Jones, “Phishing detection: a literature survey,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2091–2121, 2013.
  47. Z. Alkhalil, C. Hewage, L. Nawaf, and I. Khan, “Phishing attacks: A recent comprehensive study and a new anatomy,” Frontiers in Computer Science, vol. 3, p. 563060, 2021.
  48. R. Fatima, A. Yasin, L. Liu, and J. Wang, “How persuasive is a phishing email? a phishing game for phishing awareness,” Journal of Computer Security, vol. 27, no. 6, pp. 581–612, 2019.
  49. M. Pattinson, C. Jerram, K. Parsons, A. McCormac, and M. Butavicius, “Why do some people manage phishing e-mails better than others?” Information Management & Computer Security, vol. 20, no. 1, pp. 18–28, 2012.
  50. P. Rajivan and C. Gonzalez, “Creative persuasion: a study on adversarial behaviors and strategies in phishing attacks,” Frontiers in psychology, vol. 9, p. 135, 2018.
  51. B. Parmar, “Protecting against spear-phishing,” Computer Fraud & Security, vol. 2012, no. 1, pp. 8–11, 2012.
  52. Check Point Software Technologies Ltd., “Brand phishing report q3 2023,” https://www.checkpoint.com/press-releases/scammers-most-likely-to-impersonate-dhl-warns-new-brand-phishing-report/, September 2023.
  53. V. Secure, “Vade secure q3 2023 phishing and malware report,” https://www.vadesecure.com/en/blog/q3-2023-phishing-malware-report, September 26 2023.
  54. Barracuda Networks, Inc., “Spear phishing: Top threats and trends report 2022,” https://www.prnewswire.com/news-releases/new-spear-phishing-report-by-barracuda-shows-that-50-of-organizations-studied-were-victims-of-spear-phishing-in-2022-301832870.html, March 23 2022.
  55. K. Parsons, A. McCormac, M. Pattinson, M. Butavicius, and C. Jerram, “The design of phishing studies: Challenges for researchers,” Computers & Security, vol. 52, pp. 194–206, 2015.
  56. Google Cloud, “Google cloud cybersecurity forecast 2024,” Online, 2024. [Online]. Available: https://services.google.com/fh/files/misc/google-cloud-cybersecurity-forecast-2024.pdf
  57. J. Hazell, “Large language models can be used to effectively scale spear phishing campaigns,” arXiv preprint arXiv:2305.06972, 2023.
  58. M. Sharma, K. Singh, P. Aggarwal, and V. Dutt, “How well does gpt phish people? an investigation involving cognitive biases and feedback,” in 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).   IEEE, 2023, pp. 451–457.
Citations (14)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now