- A Harvard study found that AI phishing scams are as effective as human ones.
- AI large language models can automate phishing, cutting costs by 95%.
- AI, however, can also help detect phishing.
Online scams might soon just be a battle between AIs, one launching the attacks and another defending against them.
Online scams are only becoming more prevalent, and with new AI technology, Harvard researchers say they could become much more difficult to avoid.
Researchers at Harvard Business School published a study that found 60% of participants were duped by AI-automated phishing emails, which was comparable to the success rates of phishing messages created by humans, they wrote in the Harvard Business Review.
Phishing scams trick users into sharing personal information. A scammer will usually send an email or some other message pretending to be a company or individual asking for credit card information, passwords, or other sensitive information.
While phishing scams are nearly as old as the internet, AI models are enhancing "their severity," researchers said. In the study, researchers found that large language models can automate the "entire phishing process" — from crafting the emails, identifying targets, and collecting information — which can reduce the cost of carrying them out by 95%.
"Because of this, we expect phishing to increase drastically in quality and quantity over the coming years," the authors wrote.
While the AI models could make phishing scams worse, the researchers suggest they could also be used to help detect and fight them.
Some AI models are better at it than others. Claude correctly identified phishing attempts even in "non-obvious phishing emails, sometimes outperforming human detection rates," the researchers wrote.
Several AI models tested in the study also provided "excellent recommendations" for responding to phishing emails once they correctly identified them.
"For example, during our experiment, LLMs encouraged users who received an attractive discount offer email to verify the offer with the company's official website, which is a great strategy to avoid phishing attacks," the researchers wrote in the Harvard Business Review.
The Federal Trade Commission says the best way to avoid phishing scams is to never click on a link from someone you don't know in an email or text message. The agency says to check if you have an account with the company or know the person and if you don't, report the message to its Anti Phishing Working Group.