Email attack simulation study results

Gone are the days when phishing was a numbers game with modest returns. Traditional phishing campaigns saw a 12% success rate, requiring significant manual effort for each attempt. But artificial intelligence (GenAI, and sometimes other ML/DL tricks) has rewritten these rules entirely. In a controlled study of 101 participants, AI-generated phishing emails matched human experts with a 54% success rate. Even more remarkably, when humans and AI collaborated, the success rate nudged up to 56%. This wasn't just better emails – the AI system demonstrated an uncanny ability to gather accurate target information from the web (OSINT), with an 88% success rate in building accurate profiles from public data. Perhaps the most striking finding is the dramatic reduction in effort required. Traditional targeted attacks required: ➖ 23.5 minutes of research per target ➖ 10.2 minutes crafting each email ➖ Total time: 34 minutes per attempt The AI system collapsed this to just one minute total. Even with human oversight, the process took only 2.7 minutes – a 92% reduction in time invested. This efficiency creates a troubling economic reality. With a typical conversion rate of 2.35% (the percentage of clicked links that lead to successful exploitation), AI automation reduces costs by up to 50 times. The mathematics become profitable at surprisingly low numbers – just 2,859 targets for high-success scenarios. Even with minimal conversion rates of 0.6%, the economics work at scale. The same Gen AI technologies have potential for defence: ➖ Claude 3.5 Sonnet achieved a 97.25% detection rate ➖ Zero false positives in legitimate email detection ➖ Successfully caught sophisticated attacks that fooled human reviewers We're entering an era where AI will dominate both attack and defence, be cheap and plentiful for attackers while defenders with AI skillsets will become gold. Machine speed cybersecurity through cognitive, network and identity layers will become standard. Welcome to the brave new world.

Abstract "This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value..." Key Findings -Annual Awareness Training: --No significant correlation between recently completed annual training and reduced phishing simulation failures. --Phishing failure rates were consistent regardless of the time elapsed since the last training. -Embedded Phishing Training: --While training reduced failure rates slightly, the improvement was modest (average reduction of 1.7% in failure rates). --High variability in phishing lure efficacy (1.8% to 30.8% failure rates), often overshadowing the benefits of training. --Users often spent minimal time on training material; more than half spent less than 10 seconds. -Training Engagement: --Only 24% of users completed the training after failing simulations. --Interactive training reduced future phishing failure rates by 19%, but static training showed negligible benefits and sometimes increased failure rates for frequent participants. -Behavioral Insights: --Most users will eventually fall for a phishing attack despite initial success in simulations. --Current training primarily targets those who fail simulations, leaving many users untrained and susceptible. https://lnkd.in/eczWVrHr

Are AI-generated phishing emails outperforming human experts? Phishing attacks are evolving, and the latest research highlights a critical shift: AI-generated phishing emails now rival, and even surpass, human-crafted ones in effectiveness. Here's what you need to know: 1️⃣ AI’s Deceptive Power In a study with 101 participants, AI-generated phishing emails achieved a stunning 54% click-through rate, matching human experts and outperforming traditional phishing emails by 350%. When AI was paired with human oversight, the click-through rate rose slightly to 56%. These results underscore how AI can craft highly convincing, personalized attacks at scale. 2️⃣ Hyper-Personalization at Scale The study used an AI tool capable of gathering detailed personal profiles through Open Source Intelligence (OSINT), achieving 88% accuracy. This hyper-personalization allowed attackers to target individuals with tailored messages, significantly increasing the likelihood of success. 3️⃣ Economic Efficiency AI automation slashes the cost of phishing campaigns while boosting profitability by up to 50 times for large-scale attacks. This economic advantage makes AI-powered phishing a lucrative tool for cybercriminals, amplifying the threat landscape. 4️⃣ Defensive Opportunities On the flip side, AI models like Claude 3.5 Sonnet excelled in detecting phishing attempts, achieving a remarkable 97.25% detection rate with zero false positives when primed for suspicion. This suggests that while AI is a potent offensive tool, it also offers robust defensive capabilities. 💡 My Take: This research underscores the urgent need for organizations to rethink their cybersecurity strategies. Traditional training programs and detection systems may not suffice against AI-enhanced threats. Instead, we need robust, AI-assisted detection tools. 👇 What’s your perspective on combating AI-enhanced phishing? Are we prepared for this next wave of cyber threats? ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.