{"id":7568,"date":"2023-06-14T09:00:00","date_gmt":"2023-06-14T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-5152\/"},"modified":"2026-05-10T19:05:55","modified_gmt":"2026-05-10T19:05:55","slug":"chatgpt-and-social-engineering-how-ai-makes-phishing-attacks-more-dangerous","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2023\/06\/14\/chatgpt-and-social-engineering-how-ai-makes-phishing-attacks-more-dangerous\/","title":{"rendered":"ChatGPT and Social Engineering: How AI Makes Phishing Attacks More Dangerous"},"content":{"rendered":"<p><strong>Generative AI dramatically lowers the barrier to entry for social engineering attacks: error-free phishing emails in any language, personalized pretexts from public data, and deepfake voices for vishing attacks. For security teams, a new chapter in threat defense begins.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li><strong>Threat Landscape:<\/strong> Generative AI enables error-free, context-aware phishing emails on an industrial scale  &#8211;  the end of detectability through spelling errors.<\/li>\n<li><strong>Scalability:<\/strong> Where manual research and writing were previously required, AI generates personalized attacks in seconds.<\/li>\n<li><strong>Deepfakes:<\/strong> AI-generated voices and videos enable CEO fraud and vishing attacks at a quality level that is almost indistinguishable from real calls.<\/li>\n<li><strong>Defense:<\/strong> Technical measures alone are not enough  &#8211;  continuous security awareness training with AI-specific scenarios becomes mandatory.<\/li>\n<li><strong>Paradigm Shift:<\/strong> The premise \u201cPhishing is recognized by errors\u201d is obsolete  &#8211;  new detection methods and zero-trust processes are necessary.<\/li>\n<\/ul>\n<h2>The End of Recognizable Phishing Emails<\/h2>\n<p>For decades, the rule of thumb was: <strong>Phishing emails are recognized by spelling errors, poor grammar, and generic content.<\/strong> This rule is obsolete with ChatGPT and similar models.<\/p>\n<p>Generative AI produces error-free texts in any language and style. An attacker can generate a phishing text that imitates the communication style of a specific company, department, or even a person. Linguistic quality is no longer the weak point  &#8211;  it is perfect.<\/p>\n<p>Worse still: AI enables <strong>personalization on a large scale.<\/strong> Where an attacker previously had to manually search LinkedIn profiles and company websites to create a convincing pretext, AI generates personalized attacks for hundreds of targets simultaneously in seconds.<\/p>\n<h2>Deepfakes and Vishing: The Next Escalation Level<\/h2>\n<p>The threat is not limited to text. <strong>AI-generated voices<\/strong> are now so realistic that they cannot be distinguished from real voices in phone calls. A deepfake audio of the CEO asking the CFO to transfer funds is no longer a science fiction scenario  &#8211;  it is already happening.<\/p>\n<p>In February 2024, an employee of a Hong Kong company was persuaded to transfer 25 million dollars through a deepfake video call with alleged colleagues. All participants in the call were AI-generated.<\/p>\n<p>The costs for such attacks are dropping rapidly. Open-source tools like Bark, Tortoise-TTS, or VALL-E can clone a voice with just a few seconds of audio material. For video deepfakes, publicly available photos and a few minutes of computing time are sufficient. The <strong>technical barrier to entry<\/strong> has practically been reduced to zero.<\/p>\n<h2>Why Traditional Defense Fails<\/h2>\n<p>Email security tools traditionally detect phishing through three signals: technical indicators (header anomalies, suspicious URLs), linguistic patterns (known phishing phrases, grammatical errors), and sender reputation.<\/p>\n<p>AI-generated phishing bypasses two of the three signals. The language is flawless, the phrases are original and context-aware. Only the technical indicators remain as a detection feature  &#8211;  and these are increasingly professionally concealed.<\/p>\n<p>This means: <strong>The detection rate of classic phishing filters is decreasing<\/strong>, while the volume and quality of attacks are increasing. A double blow that fundamentally questions the previous defense strategy.<\/p>\n<h2>Countermeasures for the AI Era<\/h2>\n<p><strong>1. Security Awareness 2.0:<\/strong> Training must include AI-specific scenarios  &#8211;  perfect language, personalized content, deepfake calls. Employees must learn not to trust linguistic quality but to rely on processes: transfers only after callback on a known number, sensitive actions only through verified channels.<\/p>\n<p><strong>2. Process-Based Controls:<\/strong> No money transfer, no system access, no sensitive information based on a single communication  &#8211;  no matter how convincing. The four-eyes principle and out-of-band verification are the most effective countermeasures against social engineering.<\/p>\n<p><strong>3. AI-Based Detection:<\/strong> Paradoxically, AI is also the best defense. AI-based email security tools analyze communication patterns, writing styles, and behavioral anomalies  &#8211;  and detect phishing that rule-based systems miss.<\/p>\n<p><strong>4. Technical Hardening:<\/strong> DMARC, DKIM, and SPF for email authentication. FIDO2\/Passkeys instead of passwords  &#8211;  phishing-resistant authentication eliminates the most common attack vector completely.<\/p>\n<h2>Key Facts at a Glance<\/h2>\n<p><strong>Phishing Success Rate with AI:<\/strong> +135% higher click rate for AI-personalized phishing emails (IBM X-Force)<\/p>\n<p><strong>Deepfake Damage:<\/strong> 25 million dollar loss from a single deepfake video call (Hong Kong, 2024)<\/p>\n<p><strong>Cost of Voice Cloning:<\/strong> Less than 5 dollars with open-source tools and a few seconds of audio material<\/p>\n<p><strong>Phishing as an Attack Vector:<\/strong> 91% of all cyberattacks begin with phishing (Verizon DBIR)<\/p>\n<p><strong>Source:<\/strong> IBM X-Force, Verizon DBIR, ARUP\/Hong Kong Police, 2023\/24<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>Can ChatGPT itself be misused for phishing?<\/h3>\n<p>OpenAI has built-in security mechanisms that block direct phishing generation. However, these restrictions can be partially circumvented through clever prompting. Additionally, uncensored open-source models exist that have no restrictions. Availability is not the bottleneck  &#8211;  the attacker&#8217;s intention is.<\/p>\n<h3>How do I recognize AI-generated phishing emails?<\/h3>\n<p>Linguistic perfection is no longer a warning sign. Instead, pay attention to: unusual sender addresses (technical check), atypical urgency, deviations from the normal communication pattern, and requests for sensitive actions via unusual channels. In doubt: verify through another channel.<\/p>\n<h3>Are deepfake calls really a real threat?<\/h3>\n<p>Yes, and they are increasing rapidly. The quality of voice clones is so high that even close employees can be deceived. Companies should introduce out-of-band verification for sensitive actions  &#8211;  callback on a known number instead of reacting to an incoming call.<\/p>\n<h3>Does phishing-resistant authentication help against AI phishing?<\/h3>\n<p>Yes, fundamentally. FIDO2 keys and passkeys cannot be compromised through phishing, no matter how convincing the email or call is. Implementing phishing-resistant MFA is the most effective single measure against all forms of phishing.<\/p>\n<h3>How often should security awareness training take place?<\/h3>\n<p>Continuously, not annually. Monthly short units with current scenarios are more effective than an annual mandatory training. Simulated phishing campaigns with AI-generated emails test vigilance in everyday life. Important: no punishment, but a learning culture.<\/p>\n<h2>Further Reading in the Network<\/h2>\n<p>AI and Cybersecurity Trends: <a href=\"https:\/\/www.securitytoday.de\/en\/\" target=\"_blank\" rel=\"noopener\">www.securitytoday.de<\/a><\/p>\n<p>AI in Corporate Use: <a href=\"https:\/\/www.mybusinessfuture.com\" target=\"_blank\" rel=\"noopener\">www.mybusinessfuture.com<\/a><\/p>\n<p>Digital Leadership and Security: <a href=\"https:\/\/www.digital-chiefs.de\" target=\"_blank\" rel=\"noopener\">www.digital-chiefs.de<\/a><\/p>\n<p style=\"text-align: right;\"><em>Header Image Source: Pexels \/ Sora Shimazaki<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Generative AI dramatically lowers the barrier to entry for social engineering attacks: error-free phishing emails in any language, personalized pretexts from public data, and deepfake voices for vishing attacks. For security teams, a new chapter in threat defense begins. TL;DR Threat Landscape: Generative AI enables error-free, context-aware phishing emails on an industrial scale &#8211; the [&hellip;]","protected":false},"author":8,"featured_media":5151,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"chatgpt","_yoast_wpseo_title":"ChatGPT and Social Engineering: How AI Makes Phishing Attacks More Dangerous","_yoast_wpseo_metadesc":"ChatGPT and social engineering: AI enables flawless, personalized phishing in any language. Discover how to defend against AI-powered attacks now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["post_id-5152"],"footnotes":""},"categories":[251],"tags":[248,236],"class_list":["post-7568","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-ki","tag-phishing"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":null,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7568"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7568\/revisions"}],"predecessor-version":[{"id":10143,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7568\/revisions\/10143"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/5151"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}