Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudstersâ national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online â often using Facebook, LinkedIn or the website of the targetâs employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSCâs advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: âThe UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
âThese campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
âWe strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.â
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The programâs advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group â scammers â could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
âThe first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, âOK, how can I use this for bad things?â Iâm going to play to see what bad things I can do with it,â Wisnieski told TechTarget.
One of those âbad thingsâ that he considered was the ability for ChatGPT to create phishing scams.
âIf you start looking at ChatGPT and start asking it to write these kinds of emails, itâs significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,â he said.
âMost humans who are writing phishing attacks donât have a high level of English skills, and so because of that, theyâre not as successful at compromising people.
âMy concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way weâre detecting them right now is we can tell that theyâre not a professional business.
âChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.â
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so itâs essential to understand how you might be targeted and what you can do to prevent a breach.
You can help educate your staff with IT Governanceâs Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples like the ones weâve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
More resources on Phishing training
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services